CN113806724B - User login request processing method and device - Google Patents
User login request processing method and device Download PDFInfo
- Publication number
- CN113806724B CN113806724B CN202111147392.0A CN202111147392A CN113806724B CN 113806724 B CN113806724 B CN 113806724B CN 202111147392 A CN202111147392 A CN 202111147392A CN 113806724 B CN113806724 B CN 113806724B
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- role
- authentication mode
- login request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 45
- 238000000034 method Methods 0.000 claims abstract description 44
- 230000004044 response Effects 0.000 claims description 8
- 241000169093 Tacca Species 0.000 claims description 7
- 238000007726 management method Methods 0.000 description 39
- 238000010586 diagram Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 7
- 238000013475 authorization Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000007717 exclusion Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 101150012579 ADSL gene Proteins 0.000 description 1
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 1
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The disclosure relates to a processing method and device of a user login request, electronic equipment and a computer readable medium. The method comprises the following steps: acquiring a login request of a user; extracting an authentication mode of the user based on the login request; acquiring a role identifier based on the authentication mode; determining a target resource group according to the role identifier; and processing the login request of the user based on the target resource group. The processing method, the device, the electronic equipment and the computer readable medium for the user login request can effectively combine level management and authority management, improve user login efficiency, improve network operation efficiency and improve configuration management quality.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a method, an apparatus, an electronic device, and a computer readable medium for processing a user login request.
Background
Rights management generally refers to the fact that users can access and only access their own authorized resources, not more or less, according to security rules or security policies set by the system. Rights management occurs in almost any system, provided there is a system of users and passwords. Poor rights management systems leave system holes available to hackers. Many software can easily obtain unauthorized data through URL intrusion, SQL injection and other modes. Even modifying and deleting system data, causing huge loss. Many systems, particularly those employing hard coding, have rights logic that is tightly coupled to the service code, while being scattered throughout the system. The system loopholes tend to be quite numerous, and as the system is continuously modified, the loopholes gradually increase. The good system should centralize the authority logic, and the professional security engine sets and analyzes the authority logic. The business logic calls the security engine to obtain the authority result, and the non-professional mode is not used any more.
As platform user base increases, application functions become more and more rich, and at the same time, the use demands of clients change. When there is a high requirement on the configuration and management of configuring multiple resource authorities, the SSL VPN original user group-user-resource group structure, even if optimized to better performance, still has the problems of repeated and tedious operation on configuration, and the boundary between user management and authority management is relatively fuzzy.
The above information disclosed in the background section is only for enhancement of understanding of the background of the disclosure and therefore it may include information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, an electronic device, and a computer readable medium for processing a user login request, which can effectively combine level management and authority management, improve user login efficiency, improve network operation efficiency, and improve quality of configuration management.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to an aspect of the present disclosure, a method for processing a user login request is provided, where the method includes: acquiring a login request of a user; extracting an authentication mode of the user based on the login request; acquiring a role identifier based on the authentication mode; determining a target resource group according to the role identifier; and processing the login request of the user based on the target resource group.
In an exemplary embodiment of the present disclosure, acquiring the role identifier based on the authentication manner includes: and when the authentication mode of the user is an authentication-free mode, determining the role identification of the user based on the global configuration information.
In an exemplary embodiment of the present disclosure, acquiring the role identifier based on the authentication manner includes: when the authentication mode of the user is a local authentication mode, acquiring local configuration information based on an authentication function; and determining the character identification based on the configuration information.
In an exemplary embodiment of the present disclosure, acquiring the role identifier based on the authentication manner includes: when the authentication mode of the user is a RADIUS authentication mode, RADIUS authentication is performed on the user; and after the RADIUS authentication is passed, extracting the role identification based on the response message of the RADIUS server.
In an exemplary embodiment of the present disclosure, acquiring the role identifier based on the authentication manner includes: when the authentication mode of the user is an LDPA authentication mode, carrying out LDPA authentication on the user; and after the LDPA authentication is passed, extracting the role identification based on the response message of the LDPA server.
In an exemplary embodiment of the present disclosure, acquiring the role identifier based on the authentication manner includes: and when the authentication mode of the user is a taccas authentication mode, a WEB authentication mode or a 4A authentication mode, extracting the role identification according to the configuration information.
In an exemplary embodiment of the present disclosure, determining the target resource group according to the role identification includes: generating a role set based on the role identifications, the role set including at least one role identification; merging and deduplicating the at least one role identifier in the role set; and extracting the target resource group according to the role set.
In an exemplary embodiment of the present disclosure, extracting the target resource group according to the set of roles includes: generating a database query statement according to the at least one role identifier in the role set; acquiring the target resource group based on the database query statement; and storing the target resource group into a preset array.
In an exemplary embodiment of the present disclosure, processing a login request of the user based on the target resource group includes: acquiring resource content based on the target resource group; and writing the resource content into the online information of the user so as to facilitate the operation of the user.
According to an aspect of the present disclosure, a processing device for a user login request is provided, where the device includes: the login module is used for acquiring a login request of a user; the authentication module is used for extracting the authentication mode of the user based on the login request; the role module is used for acquiring a role identifier based on the authentication mode; the resource module is used for determining a target resource group according to the role identification; and the processing module is used for processing the login request of the user based on the target resource group.
According to an aspect of the present disclosure, there is provided an electronic device including: one or more processors; a storage means for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the methods as described above.
According to an aspect of the present disclosure, a computer-readable medium is presented, on which a computer program is stored, which program, when being executed by a processor, implements a method as described above.
A role-based user login authorization method is used for a system for realizing remote access by adopting SSLVPN; the method comprises the following steps: establishing a corresponding relation between a user, an authentication mode and a role, and establishing a corresponding relation between the role and a resource group; receiving a login request sent by a client; judging whether the login request needs authentication or not: if authentication is needed, authentication is carried out according to the authentication mode of the login request, and a role corresponding to the user is acquired after authentication is successful; if authentication is not needed, acquiring a corresponding role of the authentication-free user, and then acquiring a corresponding resource group according to the role; and establishing a corresponding relation between the user and the user group, and establishing a corresponding relation between the user group and the role. When the authentication mode is local authentication, the user selects to inherit the role of the corresponding user group. When the authentication mode is remote authentication, authentication data in the login request is sent to an authentication server for authentication, and an authentication result sent back by the authentication server is received. And after the authentication is successful, if the user does not have the corresponding role, acquiring the default role configured by the authentication mode. The remote authentication comprises RADIUS and LDAP authentication modes. And when the user acquires multiple roles, combining the multiple roles and then de-duplicating.
According to the role-based user login authorization method and system, firstly, the resource group and the roles are bound by introducing the role concept, the roles can be independently associated with the users or the user groups, the users can select the roles of the inherited user groups, the association relationship between the user groups and the users in the authority management is reasonably weakened through the structural configuration, and the boundaries of user level management and the authority management can be clearly defined. And secondly, the corresponding relation between the user group and the user can embody the grade relation between the user group and the user, and can also be effectively combined with the authority management. Furthermore, the default roles are bound by configuring a plurality of authentication modes, so that the processing requirements of different types of client login requests can be met, and the expandability of the system can be enhanced. In addition, the code level is correspondingly optimized based on the existing database query efficiency and role specification, and the database query times are reduced to improve the system operation efficiency.
According to the processing method, the device, the electronic equipment and the computer readable medium of the user login request, the login request of the user is obtained; extracting an authentication mode of the user based on the login request; acquiring a role identifier based on the authentication mode; determining a target resource group according to the role identifier; based on the mode of processing the login request of the user by the target resource group, the level management and the authority management can be effectively combined, the login efficiency of the user is improved, the network operation efficiency is improved, and the quality of configuration management is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely examples of the present disclosure and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a system block diagram illustrating a method and apparatus for processing a user login request according to an exemplary embodiment.
Fig. 2 is a flow chart illustrating a method of processing a user login request, according to an exemplary embodiment.
Fig. 3 is a schematic diagram illustrating a method for processing a user login request according to another exemplary embodiment.
Fig. 4 is a flowchart illustrating a method of processing a user login request according to another exemplary embodiment.
Fig. 5 is a block diagram illustrating a processing apparatus for a user login request according to an exemplary embodiment.
Fig. 6 is a block diagram of an electronic device, according to an example embodiment.
Fig. 7 is a block diagram of a computer-readable medium shown according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another element. Accordingly, a first component discussed below could be termed a second component without departing from the teachings of the concepts of the present disclosure. As used herein, the term "and/or" includes any one of the associated listed items and all combinations of one or more.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments and that the modules or flows in the drawings are not necessarily required to practice the present disclosure, and therefore, should not be taken to limit the scope of the present disclosure.
The technical abbreviations to which the present disclosure relates are explained as follows:
SSL VPN: VPN technology for establishing a remote secure access channel based on secure socket layer protocol (Security Socket Layer-SSL).
Resource group: a set of resources may be accessed.
Roles: and the resource group is gathered, and the roles are associated with the users or the user groups to give the users corresponding rights.
The user: and the SSL VPN login entity establishes connection with the server through the account number and the password login VPN client.
User group: and the SSL VPN users are classified in grades, roles, address pools and the like can be set for the users in batches, and unified management is facilitated.
As described above, the SSL VPN has a native user group-user-resource group structure, even though optimized to better performance, with the problems of repeated and cumbersome operation in configuration, and with the boundaries of user management and rights management being relatively ambiguous. To solve this problem, the prior art introduced the concept of roles, isolating rights and user management.
The original user group-user-resource group structure can only be used for adding resource rights to users by configuring resource groups for the user groups and associating the users with the user groups, but in actual use, the users may need to add specific rights (not needed by the user groups), and obviously, the structure does not support the scene. The concept of the role is introduced, the resource group is bound with the role, the role can be independently associated with the user group or the user, the authority relationship between the user group and the user is reasonably weakened, and the level management and the authority management are well divided; meanwhile, the user can select the roles of the inheritance user group, the hierarchical relationship of the inheritance user group and the role is reflected, and the role is effectively combined with rights management. In terms of operation efficiency, when the user group, the user and the roles are configured, some time-consuming database operations can be performed, and the data structure is used for carrying out corresponding optimization on the code level.
In the prior art, after the role concept is introduced, the following three schemes exist:
RBAC0 (user, role, rights):
the simplest user, role, rights model, which in turn contains two relationships: the users and roles are many-to-one and many-to-many relationships, respectively. If the system functions are single, fewer people are used, the authority of the posts is relatively clear, the situation that one person has more posts does not occur, and the first model can be used. In other cases, a many-to-many model should be used as much as possible to ensure the expandability of the system.
RBAC1 (increasing sub-roles on RBAC 0):
compared with the RBAC0 model, the child role is added, the inheritance concept is introduced, and the child role can inherit all rights of the parent role. Assume a department that has three posts, manager, supervisor and technician. The authority of the manager cannot be larger than that of the manager, and the authority of the specialist cannot be larger than that of the manager. If the RBAC0 is used for designing the authority system, the fault of authority allocation is likely to occur, and the manager has the authority which the manager does not have. The RBAC1 model can solve this problem, where hierarchical relationships are embodied by roles.
RBAC2 (RBAC 0 introduces constraints on the basis):
based on the RBAC0 model, role mutex, cardinality constraint, prerequisite roles, etc. are added. The character mutual exclusion refers to a plurality of characters which cannot be allocated to a group of mutual exclusion character sets by the same user, and the mutual exclusion characters are two characters with mutually restricted authority; cardinality constraints refer to the limited number of users assigned to a role, which refers to how many users can possess the role; the precondition role means that the higher authority is required to be obtained, and the lower authority is required to be firstly owned by one level; run-time mutex refers to allowing a user to have multiple roles, but the run-time does not activate the mutex's roles at the same time.
The three schemes are all models designed according to the user, the role and the authority, and the division of the level management is based on the inheritance of the sub-role. If the organization structure is emphasized, the concept and the effect of the sub-roles are not significant in the collective of the upper and lower levels of weakness, such as the user management of the current SSL VPN, and the role and the inherited part thereof are added on the structure based on the user-user group-resource group, which is not a moderate scheme for design realization and configuration upgrading.
The processing method of the user login request is based on a role, an authentication mode and a hierarchical authority management scheme, and introduces an authority control mechanism designed by the role according to a user-user group-resource group structure. In the aspect of level management, the method is embodied through a user-user group structure, and is simple, clear and concise; in authority control, the resource group authority is bound to the roles, the user group and the user relationship are decoupled, and the authentication mode is supported to bind the default roles, so that the expandability is enhanced; in the aspect of operation efficiency, time delay caused by database operation during configuration and display is optimized; the user can select the roles of the inheritance user group, can independently configure the roles, effectively combines the level management and the authority control, and can support the scene with higher requirement on the authority definition of the user.
The following is a detailed description with the aid of specific examples.
Fig. 1 is a system block diagram illustrating a method and an apparatus for processing a user login request according to an exemplary embodiment.
As shown in fig. 1, the system architecture 10 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server providing login support for shopping-type websites browsed by the user using the terminal devices 101, 102, 103. The background management server can process the received login request and feed back the processing result (whether the login is successful or not and the user permission) to the terminal equipment.
Server 105 may, for example, obtain a login request for a user; server 105 may extract an authentication mode of the user, e.g., based on the login request; server 105 may obtain a role identification, e.g., based on the authentication means; server 105 may determine a target resource group, for example, from the role identification; server 105 may process the user's login request, for example, based on the target resource group.
The server 105 may be an entity server, and may be composed of a plurality of servers, for example, and a part of the server 105 may be used to assist a user in logging in, for example; some of the servers 105 may also be used, for example, to configure the rights of the user.
It should be noted that, the method for processing the user login request provided in the embodiment of the present disclosure may be executed by the server 105, and accordingly, the processing device for the user login request may be set in the server 105. While the requesting end, which is provided to the user for sending a login request, is typically located in the terminal device 101, 102, 103.
Fig. 2 is a flow chart illustrating a method of processing a user login request, according to an exemplary embodiment. The processing method 20 of the user login request at least includes steps S202 to S210.
As shown in fig. 2, in S202, a login request of a user is acquired. The user can submit a login request on a preset application, and a background server of the preset application acquires and processes the login request.
The preset application may be a shopping application, a data processing application, an office application, or the like, which should not be limited to this.
In S204, an authentication method of the user is extracted based on the login request. Based on the message information in the login request, determining the authentication mode of the user, wherein the authentication mode of the user can comprise local authentication, RADIUS authentication, LDAP authentication, taccas+ authentication, WEB authentication, 4A authentication, authentication-free mode and the like.
Wherein RADIUS is a protocol of a C/S architecture, its client is initially a NAS (Net Access Server) server, and any computer running RADIUS client software can become a client of RADIUS. The RADIUS protocol authentication mechanism is flexible, and can adopt various modes such as PAP, CHAP or Unix login authentication. Including normal telephone networking, ADSL networking, cell broadband networking, IP telephony, VPDN (Virtual Private Dialup Networks, virtual private dial-up network service based on dial-up subscribers), mobile telephone prepaid, etc. The IEEE has proposed the 802.1x standard, which is a port-based standard for access authentication to wireless networks, and the RADIUS protocol is also used in authentication.
LDAP (Lightweight Directory Access Protocol) refers to a lightweight directory access protocol, LDAP directory stores data in a tree-like hierarchy.
The WEB authentication does not need special client software, so that the network maintenance workload can be reduced; portal or other service authentication may be provided. Firstly, an address is required to be allocated to a user for accessing a portal site, a user name and a password are typed in on a login window, then the user name and the password are passed through a Radius client to go to a Radius server for authentication, if the authentication is passed, the client is triggered to reinitiate an address allocation request, and an address capable of accessing an external network is allocated to the user. And when the user is offline, initiating an offline request through the client.
4A means: authentication, authorization, account number Account, audit Audit, chinese name unified security management platform solution. The identity authentication, authorization, accounting and audit are defined as four major components of network security, thereby establishing the status and function of the identity authentication in the whole network security system.
In S206, a role identifier is acquired based on the authentication method.
In one embodiment, when the authentication mode of the user is an authentication-free mode, the role identification of the user is determined based on global configuration information.
In one embodiment, when the authentication mode of the user is a local authentication mode, local configuration information is obtained based on an authentication function; and determining the character identification based on the configuration information.
In one embodiment, when the authentication mode of the user is a RADIUS authentication mode, RADIUS authentication is performed on the user; and after the RADIUS authentication is passed, extracting the role identification based on the response message of the RADIUS server.
In one embodiment, when the authentication mode of the user is an LDPA authentication mode, LDPA authentication is performed on the user; and after the LDPA authentication is passed, extracting the role identification based on the response message of the LDPA server.
In one embodiment, when the authentication mode of the user is taccas authentication mode, WEB authentication mode, or 4A authentication mode, the role identifier is extracted according to the configuration information.
In S208, a target resource group is determined according to the role identification. A set of roles may be generated, for example, based on the role identifications, the set of roles including at least one role identification; merging and deduplicating the at least one role identifier in the role set; and extracting the target resource group according to the role set.
In S210, a login request of the user is processed based on the target resource group. Resource content may be acquired, for example, based on the target resource group; and writing the resource content into the online information of the user so as to facilitate the operation of the user.
According to the processing method of the user login request, the login request of the user is obtained; extracting an authentication mode of the user based on the login request; acquiring a role identifier based on the authentication mode; determining a target resource group according to the role identifier; based on the mode of processing the login request of the user by the target resource group, the level management and the authority management can be effectively combined, the login efficiency of the user is improved, the network operation efficiency is improved, and the quality of configuration management is improved.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a schematic diagram illustrating a method for processing a user login request according to another exemplary embodiment.
In the present disclosure, according to different authentication modes corresponding to users, characters are matched through different processes, so as to obtain resource rights corresponding to the characters; through user group grading, users realize authority grading by inheriting roles of user groups.
Roles: a role can be configured with a plurality of resource groups, and the corresponding resource types under each resource group comprise IP resources, WEB resources, shortcuts and bulletin messages. Role support is bound to users, groups of users, and authentication modes.
The authentication mode is as follows: authentication modes combining role control include local authentication, RADIUS authentication, LDAP authentication, taccas+ authentication, WEB authentication, 4A authentication, and authentication-free. Wherein authentication-free is authentication without account number and password.
User group: the upper layer of the user organization structure supports the display of the sub-user group and the tree structure, and can configure the direct jump resource, the IP address pool and the default authentication strategy of the user.
The user: SSL VPN login entity, authentication and resource acquisition are all processes executed around the user. Authentication policies, IP addresses, and roles may be configured separately.
Further, as shown in fig. 3, the user requests to log in from the client, if the authentication-free mode is adopted, a default role of the authentication-free user is obtained, and then a corresponding resource group and resource authority are obtained according to the role;
if the local authentication is used, after the authentication is successful, acquiring a user and a set of user group configuration roles (the user group roles can be selected not to be inherited), and acquiring corresponding resource groups and authorities according to the roles;
the RADIUS authentication is similar to the flow of LDAP authentication, after a user requests login, the VPN server sends login information to the RADIUS server (or the LDAP server) for authentication, the authentication result is judged and the role name is acquired by analyzing the corresponding information, if the authentication is successful but the role name is not available, the default role set by the authentication mode is used, and the corresponding authority is acquired through the role;
the flow after successful authentication of taccas+ authentication, WEB authentication and 4A authentication mode is the same as that of authentication-free. And (3) prompting 'resources are not configured' and returning to the login page if the user does not traverse to the effective resources finally in all authentication processes.
According to the processing method of the user login request, the organization relation can be decoupled, the level management is definitely carried out, the authority control is increased, the network manager is effectively helped to reasonably allocate the user resources, and therefore the efficiency and the quality of network operation are improved.
Fig. 4 is a flowchart illustrating a method of processing a user login request according to another exemplary embodiment. The flow 40 shown in fig. 4 is a detailed description of "determining a target resource group according to the role identification" in the flow shown in fig. 2.
As shown in fig. 4, in S402, a set of roles is generated based on the role identifications, the set of roles including at least one role identification. The user and the user groups can be configured with roles independently, the user can select to inherit the roles of the user groups to which the user groups belong (at most 8 user groups to which the user groups belong can be configured), each user group and the corresponding roles can be displayed in the user information, and an administrator can intuitively acquire the roles associated with the user, so that misoperation and other conditions are avoided.
In S404, merging and deduplicating the at least one role identifier in the role set. Before the user permission is acquired, the user associated roles are combined and then de-duplicated, so that the accuracy of the finally acquired permission is ensured.
In S406, a database query statement is generated from the at least one role identification in the set of roles. In the configuration flow, the elements of the authority association are in a many-to-many relationship, and the association is established through element IDs. For example, user configuration is issued, submitted data is a role name, and the background needs to query a role table according to the role name to acquire an ID so as to establish an association relationship with the user. Each user can set a plurality of roles, and according to the original implementation flow, a query statement is executed once when one role ID is acquired.
In the present disclosure, according to database query efficiency and specifications of roles, the query sentences are optimized, and batch query sentences are generated through all role identifications. The operation efficiency is improved by reducing the query times of the database: when the role ID needs to be acquired for many times, the resource groups corresponding to all roles can be acquired only by inquiring the database once.
In S408, the target resource group is obtained based on the database query statement.
In S410, the target resource group is stored into a preset array. And acquiring and storing all role information of the current system into a corresponding array, and inquiring the needed information through circulation.
According to the processing method of the user login request, the level management can be definitely performed, the authority control is increased, the network manager is effectively helped to reasonably allocate the user resources, and therefore the efficiency and the quality of network operation are improved.
Those skilled in the art will appreciate that all or part of the steps implementing the above described embodiments are implemented as a computer program executed by a CPU. The above-described functions defined by the above-described methods provided by the present disclosure are performed when the computer program is executed by a CPU. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic disk or an optical disk, etc.
Furthermore, it should be noted that the above-described figures are merely illustrative of the processes involved in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 5 is a block diagram illustrating a processing apparatus for a user login request according to an exemplary embodiment. As shown in fig. 5, the processing device 50 for a user login request includes: a login module 502, an authentication module 504, a role module 506, a resource module 508, and a processing module 510.
The login module 502 is configured to obtain a login request of a user;
the authentication module 504 is configured to extract an authentication manner of the user based on the login request;
the role module 506 is configured to obtain a role identifier based on the authentication manner;
the resource module 508 is configured to determine a target resource group according to the role identifier;
the processing module 510 is configured to process a login request of the user based on the target resource group.
According to the processing device of the user login request, the login request of the user is obtained; extracting an authentication mode of the user based on the login request; acquiring a role identifier based on the authentication mode; determining a target resource group according to the role identifier; based on the mode of processing the login request of the user by the target resource group, the level management and the authority management can be effectively combined, the login efficiency of the user is improved, the network operation efficiency is improved, and the quality of configuration management is improved.
Fig. 6 is a block diagram of an electronic device, according to an example embodiment.
An electronic device 600 according to such an embodiment of the present disclosure is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 6, the electronic device 600 is in the form of a general purpose computing device. Components of electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different system components (including the memory unit 620 and the processing unit 610), a display unit 640, etc.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs steps described in the present specification according to various exemplary embodiments of the present disclosure. For example, the processing unit 610 may perform the steps as shown in fig. 2, 4.
The memory unit 620 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 6201 and/or cache memory unit 6202, and may further include Read Only Memory (ROM) 6203.
The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 630 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 600' (e.g., keyboard, pointing device, bluetooth device, etc.), devices that enable a user to interact with the electronic device 600, and/or any devices (e.g., routers, modems, etc.) that the electronic device 600 can communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 650. Also, electronic device 600 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 600, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, as shown in fig. 7, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiments of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The computer-readable medium carries one or more programs, which when executed by one of the devices, cause the computer-readable medium to perform the functions of: acquiring a login request of a user; extracting an authentication mode of the user based on the login request; acquiring a role identifier based on the authentication mode; determining a target resource group according to the role identifier; and processing the login request of the user based on the target resource group.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solutions according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and include several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that this disclosure is not limited to the particular arrangements, instrumentalities and methods of implementation described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (5)
1. A method for processing a user login request, comprising:
acquiring a login request of a user;
extracting an authentication mode of the user based on the login request;
acquiring the role identifier based on the authentication mode comprises the following steps: when the authentication mode of the user is an authentication-free mode, determining the role identification of the user based on global configuration information; when the authentication mode of the user is a local authentication mode, acquiring local configuration information based on an authentication function, thereby determining a role identifier based on the configuration information; when the authentication mode of the user is a RADIUS authentication mode, RADIUS authentication is carried out on the user, so that after the RADIUS authentication is passed, character identification is extracted based on a response message of a RADIUS server; when the authentication mode of the user is an LDPA authentication mode, carrying out LDPA authentication on the user, thereby extracting a role identifier based on a response message of an LDPA server after the LDPA authentication is passed; when the authentication mode of the user is a taccas authentication mode, a WEB authentication mode or a 4A authentication mode, extracting a role identifier according to the configuration information;
determining a target resource group according to the role identifier;
and processing the login request of the user based on the target resource group.
2. The processing method of claim 1, wherein determining a target resource group based on the role identification comprises:
generating a role set based on the role identifications, the role set including at least one role identification;
merging and deduplicating the at least one role identifier in the role set;
and extracting the target resource group according to the role set.
3. The processing method of claim 2, wherein extracting the target resource group from the set of roles comprises:
generating a database query statement according to the at least one role identifier in the role set;
acquiring the target resource group based on the database query statement;
and storing the target resource group into a preset array.
4. The processing method of claim 1, wherein processing the user's login request based on the target resource group comprises:
acquiring resource content based on the target resource group;
and writing the resource content into the online information of the user so as to facilitate the operation of the user.
5. A method for processing a user login request, comprising:
the login module is used for acquiring a login request of a user;
the authentication module is used for extracting the authentication mode of the user based on the login request;
the role module is used for acquiring the role identifier based on the authentication mode and comprises the following steps: when the authentication mode of the user is an authentication-free mode, determining the role identification of the user based on global configuration information; when the authentication mode of the user is a local authentication mode, acquiring local configuration information based on an authentication function, thereby determining a role identifier based on the configuration information; when the authentication mode of the user is a RADIUS authentication mode, RADIUS authentication is carried out on the user, so that after the RADIUS authentication is passed, character identification is extracted based on a response message of a RADIUS server; when the authentication mode of the user is an LDPA authentication mode, carrying out LDPA authentication on the user, thereby extracting a role identifier based on a response message of an LDPA server after the LDPA authentication is passed; when the authentication mode of the user is a taccas authentication mode, a WEB authentication mode or a 4A authentication mode, extracting a role identifier according to the configuration information;
the resource module is used for determining a target resource group according to the role identification;
and the processing module is used for processing the login request of the user based on the target resource group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147392.0A CN113806724B (en) | 2021-09-29 | 2021-09-29 | User login request processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147392.0A CN113806724B (en) | 2021-09-29 | 2021-09-29 | User login request processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113806724A CN113806724A (en) | 2021-12-17 |
| CN113806724B true CN113806724B (en) | 2024-02-09 |
Family
ID=78897023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111147392.0A Active CN113806724B (en) | 2021-09-29 | 2021-09-29 | User login request processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113806724B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110692223A (en) * | 2017-07-14 | 2020-01-14 | 日立数据管理有限公司 | Method, apparatus and system for controlling user access to a data storage system |
| CN110839014A (en) * | 2019-10-12 | 2020-02-25 | 平安科技(深圳)有限公司 | Authentication method, device, computer system and readable storage medium |
| CN111062028A (en) * | 2019-12-13 | 2020-04-24 | 腾讯科技(深圳)有限公司 | Authority management method and device, storage medium and electronic equipment |
| CN111367573A (en) * | 2020-03-12 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Equipment login method, device, storage medium and computer equipment |
| CN111695156A (en) * | 2020-06-15 | 2020-09-22 | 北京同邦卓益科技有限公司 | Service platform access method, device, equipment and storage medium |
| CN112581257A (en) * | 2020-12-15 | 2021-03-30 | 中国建设银行股份有限公司 | Dispute service management method, system, device and medium supporting different card organizations |
| CN112714123A (en) * | 2020-12-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Internet surfing method and device and electronic equipment |
| CN113282890A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Resource authorization method, device, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5787640B2 (en) * | 2011-06-24 | 2015-09-30 | キヤノン株式会社 | Authentication system, authentication method and program |
| US20190332789A1 (en) * | 2018-04-27 | 2019-10-31 | Microsoft Technology Licensing, Llc | Hierarchical access rights and role based access |
-
2021
- 2021-09-29 CN CN202111147392.0A patent/CN113806724B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110692223A (en) * | 2017-07-14 | 2020-01-14 | 日立数据管理有限公司 | Method, apparatus and system for controlling user access to a data storage system |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110839014A (en) * | 2019-10-12 | 2020-02-25 | 平安科技(深圳)有限公司 | Authentication method, device, computer system and readable storage medium |
| CN111062028A (en) * | 2019-12-13 | 2020-04-24 | 腾讯科技(深圳)有限公司 | Authority management method and device, storage medium and electronic equipment |
| CN111367573A (en) * | 2020-03-12 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Equipment login method, device, storage medium and computer equipment |
| CN111695156A (en) * | 2020-06-15 | 2020-09-22 | 北京同邦卓益科技有限公司 | Service platform access method, device, equipment and storage medium |
| CN112581257A (en) * | 2020-12-15 | 2021-03-30 | 中国建设银行股份有限公司 | Dispute service management method, system, device and medium supporting different card organizations |
| CN112714123A (en) * | 2020-12-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Internet surfing method and device and electronic equipment |
| CN113282890A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Resource authorization method, device, electronic equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| SSL VPN技术在移动电子政务***接入中的应用;粟毅等;《智能城市》;第4卷(第14期);第45-46页 * |
| 云计算环境中用户身份认证及访问控制的探索与实践;迟文德;《中国新闻技术工作者联合会2016年学术年会论文集》;第81-85页 * |
| 企业级信息管理***认证统一管理的设计与实现;郭威;《南方能源建设》;第2卷(第S1期);第242-246页 * |
| 基于RBAC模型的通用企业级应用安全框架的研究与实现;高龙龙;《中国优秀硕士学位论文全文数据库》;信息科技辑 I138-336 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113806724A (en) | 2021-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10171455B2 (en) | Protection of application passwords using a secure proxy | |
| JP6263537B2 (en) | LDAP-based multi-tenant in-cloud identity management system | |
| US11272030B2 (en) | Dynamic runtime interface for device management | |
| US11716325B2 (en) | Limiting scopes in token-based authorization systems | |
| US9485256B1 (en) | Secure assertion attribute for a federated log in | |
| WO2019125709A1 (en) | Methods and systems for managing internet preferences | |
| US20230396603A1 (en) | Unified identity and access management (iam) control plane for services associated with a hybrid cloud | |
| EP2907076A1 (en) | Configuring and providing profiles that manage execution of mobile applications | |
| US10255092B2 (en) | Managed virtual machine deployment | |
| AU2014208184A1 (en) | Systems and methodologies for managing document access permissions | |
| CN115203653A (en) | Associating user accounts with enterprise workspaces | |
| US20200374372A1 (en) | Systems and methods for aggregating skills provided by a plurality of digital assistants | |
| WO2020140264A1 (en) | Application publishing in a virtualized environment | |
| WO2022066414A1 (en) | Compositional reasoning techniques for role reachability analyses in identity systems | |
| US11516202B2 (en) | Single sign on (SSO) capability for services accessed through messages | |
| CN113806724B (en) | User login request processing method and device | |
| US11368459B2 (en) | Providing isolated containers for user request processing | |
| US12015606B2 (en) | Virtual machine provisioning and directory service management | |
| US20220035933A1 (en) | Enhanced Security Mechanism for File Access | |
| CN115834252B (en) | Service access method and system | |
| WO2023230035A1 (en) | Techniques for providing security-related information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |