TW564625B - Method and system for filtering requests to a web site - Google Patents

Method and system for filtering requests to a web site Download PDF

Info

Publication number
TW564625B
TW564625B TW91111787A TW91111787A TW564625B TW 564625 B TW564625 B TW 564625B TW 91111787 A TW91111787 A TW 91111787A TW 91111787 A TW91111787 A TW 91111787A TW 564625 B TW564625 B TW 564625B
Authority
TW
Taiwan
Prior art keywords
request
user
scope
address
module
Prior art date
Application number
TW91111787A
Other languages
Chinese (zh)
Inventor
Wen-Hao Hsu
Chung-Chih Lin
Jui-Yu Hsu
Original Assignee
Infopower Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infopower Corp filed Critical Infopower Corp
Priority to TW91111787A priority Critical patent/TW564625B/en
Application granted granted Critical
Publication of TW564625B publication Critical patent/TW564625B/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a method for intercepting and filtering a request before received by a web server, and the present invention reach the purpose of network security control without modify any data or program code, said method comprising: retrieving a URL (uniform resource locator) from a request; verifying said user's identification who sent said request; obtaining said user's represented role; corresponding to said role to get user's authority for accessing a web site; and allowing said request to access a data stored in said web site depend on said authority, wherein said data is the target resource which located by said URL.

Description

564625 五、發明說明(1) 5-1發明領域 本發明係關於網路安全,特別是有關於一種可針對個 別使用者於瀏覽網站時,進行不同程度權限管理的安全控 管系統與方法。 5 - 2發明背景·· ^球資訊網(world Wide Web,www)主要的功能為 ί 文件標示語言(HyPerteXt MarkUP UngUage, 二f寫成的文件可於網路環境中進行互動式的行為。 示語言文件中可包括語音、動4、圖片及邏輯 位式的資料型態都可透過超鏈結(hyper 起,以提佴文件標示語言(html)文件連接在-;資芯=昌的資訊與功能於網路上。㈤此使用者在全 球貝'、..罔上可以跳躍式讀取所需要的資訊。 使用產生了重大二j =對於現今網際網路(Internet )的 讓使用者可透過可、=?覽器(B—)的發明 =广用網的文章;在應 企業應用,消蒈本 、、 distant 1 earning )、 因此全球資訊網j、可透過網路跨越時空限制上網購物。 罔在網際網路發展的過程中可說是扮演重要564625 V. Description of the invention (1) 5-1 Field of the invention The present invention relates to network security, and more particularly to a security control system and method that can perform different levels of authority management for individual users when browsing websites. 5-2 Background of the Invention ... The main function of the World Wide Web (www) is ί Document Markup Language (HyPerteXt MarkUP UngUage). Documents written in 2f can perform interactive behavior in a network environment. Display language Documents can include voice, motion 4, pictures, and logical data types can be linked via hyperlinks (hyper, with document markup language (html) files connected to-; information and functions of the core = Chang On the Internet. This user can jump to read the required information on the global shell ', .., and so on. The use has produced a major second j = For the current Internet (Internet), the user can use the available, =? Invention of Browser (B—) = Articles on the Wide Web; used in corporate applications, copying, and distant 1 earning), so the World Wide Web j, can restrict online shopping across time and space through the Internet. 罔 在Can play an important role in the development of the Internet

$ 5頁 564625$ 5 pages 564625

的角色。更可以廣義的說,全球資訊網是經由網路存取 (Access) μ亂的具體表現。 因此全球資訊網是一個不僅提供文字,還有聲音、, 像、甚至動晝的環境。並且以主從式架構 & (Cl ient/Server )運作。主從式架構係包含伺服器 (Server )與用戶端(Client )且分別與網路連接,當使 用者於用戶者端提出一要求(r e q u e s t )時,然後伺服器 再將資料經由網路傳送到用戶者端。以這種形式所架才舞°而 成的網路稱為『主從架構網路』(client —server network )。而以上所述的伺服器,一般來說通常指的是 執行管理軟體的電腦,可以控制網路存取(Access )及使 用的資源,提供網路使用者所需的資源或者是資料等服 務,猶如網路上的工作站。不過,伺服器比一般網路工作 站,擁有更大容量的周邊儲存裝置及其他硬體資源。 網站伺服器(web server )係即指具有可處理用戶端 對於超文件標示語言(HTML )網頁或檔案要求的一電腦 主機。相對於網站伺服器的是用戶端(Cl ient ),而Web 瀏覽器(W e b b r 〇 w s e r )是用戶端的一種應用程式’當使 用者於用戶端欲瀏覽Web伺服器上的網頁時,用戶端會傳 送一超文件傳輸協定要求(HTTP request)給Web伺服 器,然後Web伺服器即回應用戶端並傳送所需資訊給用戶 端0character of. To put it more broadly, the World Wide Web is a concrete manifestation of chaos via Internet access. Therefore, the World Wide Web is an environment that not only provides text, but also sounds, images, and even daylight. And operates with a master-slave architecture & (Client / Server). The master-slave architecture includes a server (Server) and a client (Client) and is connected to the network respectively. When a user makes a request at the client, the server then sends the data to the server via the network. User side. The network constructed in this form is called a “client-server network” (client-server network). The server mentioned above generally refers to a computer running management software, which can control network access (Access) and resources used, and provide resources or services such as data required by network users. It's like a workstation on the network. However, the server has a larger capacity of peripheral storage devices and other hardware resources than normal network workstations. A web server is a computer host that can process the client's request for a HTML document or file. Relative to the web server is the client (Client), and the web browser (Webbrowser) is an application of the client. 'When the user wants to browse the web page on the web server, the client will Send a HTTP request to the Web server, and then the Web server responds to the client and sends the required information to the client. 0

第6頁 564625 五、發明說明(3) 上述之HTTP (Hypertext Transport Protocol,超文 件傳輸協定)為使用在全球資訊網上的一傳輸協定,最主 要的特性之一在於它是一個跨平台標準,存放在不同電腦 系統的資料,都可以經由網際網路(Internet ) 互連。 通訊時,一端必須執行超文件傳輸協定(HTTP )用戶端程 式’像是網頁瀏覽器,另一端必須執行超文件傳輸協定 (HTTP )伺服軟體,像是網站伺服器(Web server )等。 的服務 f使用 $可能 \網站 的單_ 存的網 須大幅 於程式 錢上的 而目前於 不同,需 者可以瀏 是讓使用 ,然而這 網頁控管 站如果想 地改寫程 設計者及 支出更是 實際的 要能夠 覽的網 者輸入 卻無法 (page 新增對 式碼, 使用者 難以計 運用上 驗證用 頁或是 一預先 達到對 level 於網站 甚至重 都造成 算。 ,有許多的網 戶端的使用者 可以存取的資 建立的帳號及 不同的使用者 control) 〇 使用上的安全 新建構一個新 極大的不便, 訊,以 密碼, 進行各 並且有 控管能 的網站 對於時 或是控 j^的做 用以登 別程度 許多現 力,必 ’這對 間與金 ,用以對於現 度的安全控 式碼。 存的 管, 因此本發明提出一安全控管系統與方法 網站提供可針對各別使用者進行不同程 而不需變更原來網站的任何資料或是程Page 6 564625 V. Description of the invention (3) The above-mentioned HTTP (Hypertext Transport Protocol) is a transmission protocol used on the global information network. One of the main characteristics is that it is a cross-platform standard. The data stored in different computer systems can be interconnected via the Internet. When communicating, one end must implement a Hyper File Transfer Protocol (HTTP) client-side program like a web browser, and the other end must implement Hyper File Transfer Protocol (HTTP) server software, such as a web server. Service f may use $ pos \ website list_ The saved net must be much larger than the program money, but it is currently different. The buyer can use it, but if this web control station wants to rewrite the program designer and spend more It is the actual web user input that can be viewed but cannot (the page adds a matching code, and it is difficult for the user to calculate the verification page or to reach the level in advance to the website or even cause heavy calculations. There are many Internet users Users can access the account created by the end user and different user controls) 〇 The new security is a great inconvenience in the use of security, the use of passwords, and each controllable website for time or control J ^ 's action is used to indicate many degrees of strength, and it must be' this pair and gold, used to control the security of the current code. Therefore, the present invention proposes a security control system and method. The website provides different programs for different users without changing any information or programs on the original website.

五、發明說明(4) 〜3發明目的及概述: 生之之!明背景中,傳統的網站安全 心省夕缺點,本發明提供一 女王 用以克服傳統於網站資料存取控; 過濾使’用d:目:為於網站伺服器接收命 資料或是程式;ΐ可:;!:欠保護之網站則不 j違到女全控制的目的。 理上所產 與方法, 題0 前攔截並 更動任何 本發明之另一目 本發明之又另_ 其使用權限。 的為可自動連接網站所使用 目的為可針對不同的使用者 的變數。 個別設定 其中 本發明之又另— 所述之檔案為在 目的為以單—檔案為基本控 —網站架構下可供存取之資 中所 本發明之又另一 附記的參考變數 目的為可對統一 進行過濾及偵測 資源*** 制單位, 源。(URL ) 本發明之又另一 (IP address)設定 目的為可針對預設的網際網 由此網際網路位址所發出之 路位址 要求的權 564625 五、發明說明(5) 限範圍。 根據以上所述之目的,本發明提供一種對存取網站資 料之要求進行安全控管的方法,其包含:取得一要求 (request )巾的URL (Unif〇rm Res〇urce L〇cat〇r 统一 資源***);驗證發出此統一資源***(URL)的使 用者身份;取得使用者於該安全控管中所屬之角色. 對應該角色被授權存取該網站的權限範圍;最後根據直權 限粑圍決定此統一資源***(URL )是否可以V. Description of the invention (4) ~ 3 Purpose and summary of the invention: Born! In the bright background, the traditional website is safe and easy to save. The present invention provides a queen to overcome the traditional data access control on the website; filtering to use 'd: head: to receive command data or programs on the website server; ΐ can:;! : Unprotected websites do not violate the purpose of women's overall control. Reasonably produced and method, before the question 0 intercept and change any other object of the present invention. Is a variable that can be used to automatically connect to a website for the purpose of targeting different users. Individually set the other of the present invention-said file is for the purpose of the single-file as the basic control-the information accessible under the website structure of the information in the present invention is also another additional reference number of reference variables is correct Filter and detect resource locator units and sources uniformly. (URL) Another (IP address) setting purpose of the present invention is to set the right for road address issued by this Internet address against the preset Internet 564625 V. Description of the invention (5) Limited range. According to the above-mentioned purpose, the present invention provides a method for security control of a request for accessing website data, which includes: obtaining a URL of a request (Unif〇rm Res〇urce L Catat unified Resource locator); verify the identity of the user who issued this uniform resource locator (URL); obtain the role that the user belongs to in the security control. The scope of authority that the role is authorized to access the site; The fence determines whether this uniform resource locator (URL) can

存取之目的資料。 1- π /、I 因此, 欲存取此網 全控管系統 包含之一統 (Internet 模組,係用 用者是否完 入程序以驗 使用者所屬 限控制模組 表示使用者 權限的角色 及一連接模 本發明亦可提供一種於網站伺服 站資料之要求進行债測、過濾(fluerm ’其包含·一解析模組,用 -p資源***()及 '網際:二求中所 Protocol address, IP address) · _ ^ = 資源***⑽L):: 證使用者的身…角色 的角,(role )身份於角色 ,係用以設定角色所且右> 、、、且宁, 榷 被允許於網站中存取的資料$! ^,而其權限則 可形成-群组一)、:二圍群,^ 組,係取得該網站所使用的變數,且拉組中’ 564625 五、發明說明(6) 該變數名稱給該解析模組於進行解析時使用。 5 - 4發明詳細說明: 本發明的一較佳實施例會詳細描述如下。然而,除了 詳細描述外,本發明還可以廣泛地施行在其他的實施例 中,且本發明的範圍不受限定,其以之後的專利範圍為 準。 並且於此較佳實施例中,更利用一些圖示說明來輔助 說明本發明,其中,第一圖顯示本發明之安全控管系統的 一實施架構圖,第二圖說明本發明之安全控管系統的一較 佳實施例,而第三圖則用以說明本發明之安全控管系統的 一較佳運作流程。 本發明為一種於網站伺服器接收命令前,先行偵測及 過濾欲存取網頁之要求的方法,包含:先行接收一欲存網 頁之要求於一網站伺服器之前;檢查發出此要求之用戶端 是否為一已通過驗證之使用者,如果此要求由一未通過驗 證之使用者所發出則拒絕此要求;取得該已通過驗證之使 用者所屬之角色,而所述之角色則是用以設定該已通過驗 證之使用者可存取網頁的權限範圍,並且具有相同權限範 圍的角色可形成一群組;最後檢查此要求所欲存取之網頁Access purpose data. 1- π /, I Therefore, to access this network, the full-control management system includes a unified (Internet module, which is whether the user has completed the process to verify the user ’s role Connection module The present invention can also provide a method for debt measurement and filtering at the request of website server data (fluerm 'It contains a parsing module, using -p resource locator () and' Internet: Erqiuzhong Protocol Address, IP address) · _ ^ = resource locator ⑽L) :: prove the user ’s body ... the role of the role, (role) identity to the role, is used to set the role of the right > Data accessed in the website $! ^, And its permissions can be formed-group one),: two Wai group, ^ group, to obtain the variables used by the site, and pull the group '564625 V. Description of the invention (6) The variable name is used by the parsing module for parsing. 5-4 Detailed Description of the Invention: A preferred embodiment of the present invention will be described in detail as follows. However, in addition to the detailed description, the present invention can be widely implemented in other embodiments, and the scope of the present invention is not limited, which is subject to the scope of subsequent patents. And in this preferred embodiment, some illustrations are used to assist in explaining the present invention, wherein the first diagram shows an implementation architecture diagram of the security control system of the present invention, and the second diagram illustrates the security control system of the present invention A preferred embodiment of the system, and the third diagram is used to illustrate a preferred operation flow of the security control system of the present invention. The invention is a method for detecting and filtering the request of a webpage to be accessed before the web server receives the command. The method includes: Whether it is an authenticated user. If this request is issued by an unauthenticated user, the request is rejected; the role to which the authenticated user belongs is obtained, and the role is used to set The authenticated user can access the permission range of the web page, and the roles with the same permission range can form a group; finally check the page that this request wants to access

第10頁 564625 五、發明說明(7) 是否在該已通過驗證之使用者可存取網頁的權限範圍内 第一圖用以顯示本發明應用的一實施架構,一網站伺 服器100 (Web server )可接受使用者101於用戶端 (Client)所發出的一要求1〇2 (request),而其中本發 明之安全控管系統1 0 4會在此要求;[〇 2被網站伺服器1 〇 〇接 收前先攔截偵測並過濾。此要求中包含一URL (UniformPage 10 564625 V. Description of the invention (7) Whether it is within the authority that the authenticated user can access the web page. The first figure shows an implementation structure of the application of the present invention. A web server 100 (Web server ) Accept a request 102 issued by the user 101 on the client (Client), and the security control system 104 of the present invention will request it here; [〇2 by the web server 1 〇 〇 Intercept detection and filtering before receiving. This request includes a URL (Uniform

Resource Locator, 統一資源***),而於統一資源定 位态(U R L )中紀錄了此要求所採用的通訊協定,而一般 採用的協定包括·播案傳輸協定(f? T p )、超文件傳輸協 定(HTTP )、小田鼠資訊系統(Gopher )或廣域資訊伺服 器(WA I S )等等。於本發明之實施架構及較佳實施例中, 將主要以於全球資訊網(WWW )上所使用的超文件傳 定(HTTP )來做說明,但不用以局限本發明/協 〜異她乾圍。 所在位置的標準方式,而所謂某物件,則诵夸此 " j m吊指於無I阪 路(Internet )上的網頁(web page )。全球次:、、罔已干、 (WWW )以統一資源***(URL )作為網址的$訊網 文件標示語言(HTML )的文件中,利用統—次、σ式’在 (URL )來指定超鏈結(Hyperlink )的目禅貝源*** 個目標位置就是另一個超文件標示語言文:立置’通常 儲存在另一台電腦上。 ’而且還可Resource Locator (Uniform Resource Locator), and the communication protocol used for this requirement is recorded in the Uniform Resource Locator (URL), and the commonly used protocols include · broadcast transmission protocol (f? T p), hyper file transfer Protocol (HTTP), Gopher Information System (WApher) or Wide Area Information Server (WA IS), etc. In the implementation architecture and preferred embodiments of the present invention, the Hyper File Transfer (HTTP) used on the World Wide Web (WWW) will be mainly described, but it is not necessary to limit the present invention / protocol Around. The standard way of the location, and the so-called object, quoting this " j m hanging finger on the web page (Internet page) on the Iban Road (Internet). Global times: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,, The target location of the Hyperlink's Muzenbei source locator is another hyperfile markup language: standup 'is usually stored on another computer. ’And also

第11頁 564625Page 11 564625

如第一圖所示,由外部來的要求經過網站伺服器丨〇 〇 後’可以存取放置於網站伺服器丨〇 〇中的網頁i 〇3,且網頁 1 03用^以严置一網站所提供之内容與服務。其中,這些網 頁可能是HTML ( Hypertext Markup Language,超文件標 示扣ρ )網頁、ASP網頁(active server page,主動伺 服、”罔頁)、或疋JSP網頁(java server page,爪口圭伺服 網頁)等’由不同程式語言結構所編寫的網頁。另外,根 據不同程式語言結構所編寫的網頁,所應用的網站伺服器 不偈限於固定的工作平台上,例如可以是於〇s、Li ηυχ或 是window等作業平台上的網站伺服器。 第一圖所示的實施架構中,本發明之網站安全控管系 統104於網站伺服器100之前,先接收使用者1〇1的要求 102 ’而此要求丨〇2所包含的統一資源***(URL )其指 定的目標資源為網頁1 〇 3 a。接下來此網站安全控管系統 1 0 4於接收並處理要求丨〇 2後,根據傳送此要求丨〇 2之使用 者權限,允許要求1 〇 2存取網頁1 〇 3 a,然後網站伺服器1 〇 〇 將於處理網頁l〇3a後產生一回應105 (response)給使用 者1 〇 1。如果此要求1 〇 2在經由網站安全控管系統1 〇 4處理 後’發現要求1 〇 2並沒有存取網頁1 〇 3 a的權限,則此網站 安全控管系統104可發出一訊息告知使用者1〇1,其不具有 存取網頁1 0 3 a的權限。 其中,不同的使用者具有個別的使用權限,當使用者As shown in the first figure, after an external request passes through the web server 丨 〇〇, the web page i 〇3 placed on the web server 丨 〇〇 can be accessed, and the web page 103 is used to strictly set up a website. Content and services provided. These pages may be HTML (Hypertext Markup Language) pages, ASP pages (active server pages, active pages), or JSP pages (java server pages, Java server pages) Etc. 'Web pages written in different programming language structures. In addition, web pages written according to different programming language structures are not limited to a fixed working platform, such as 〇s, Li ηυχ or A web server on an operating platform such as window. In the implementation architecture shown in the first figure, the web security control system 104 of the present invention receives a request 102 from a user 101 before the web server 100, and this request丨 〇2 contains a uniform resource locator (URL) whose designated target resource is web page 1 〇 3 a. Next, the website security control system 104 receives and processes the request 丨 02, and transmits this request according to丨 〇2 user permissions, allow 1 〇2 to access the web page 1 〇 3 a, and then the web server 1 〇 00 will generate a response 105 (respons) after processing the web page 103 e) Give the user 1 〇 1. If this request 1 〇 2 is processed through the website security control system 1 0 4 'and found that the request 1 〇 2 does not have access to the web page 1 〇 3 a, then this website security control The management system 104 can send a message to inform the user 101 that it does not have the right to access the web page 103a. Among them, different users have individual use rights.

第12頁 564625 五、發明說明(9) 1 0 1於第一次欲瀏覽受安全控管保護的網站時,安全控管 系統1 0 4會要求使用者輸入一可辨別其身份的識別碼、帳 號或是密碼,然後網站安全控管系統丨〇 4根據此使用者工〇 j 所被授權的範圍,允許使用者的要求可經由網站伺服器存 取網頁,直到使用者1 0 1登出(s i gn ou t ),如使用者登 出後欲再次存取該網站則需重新驗證其使用者身份,且 果使用者於登入後經過一特定時間未有任何存取動作則亦 會被網站安全控管系統1 04強制登出以確保安全控管的目 ^此士發明不需更動原網站架構下的任何程式碼,而 疋在這之如先行過〉慮並偵測即將被網站伺服器接收之命 令’並經由網站安全控官系統1 0 4所設定的權限以控管此 要求。 第二圖用以說明本發明之網站安全控管系統的一較 實施例,一網站安全控管系統2 0 0至少包含下列功能模土 組,一解析模組(parser ) 201、一驗證模組2〇2、一角 群組模組204、一權限控制模組2〇6、一修改模組2〇8、_ 連接模組210。 ' / Λ 其上上述之解析模組2 0 1會於網站伺服哭2〗2 含統一資源***(URL)之要求20前,先^此要求j〇''包 行解析,用以解讀該要求20所包含的統一資源定位哭 (U R L )、網際網路位址(I p a d d r e s s )、及其他來考綠 數等資訊’其中所述的網際網路位址就如同是電腦>主機lPage 12 564625 V. Description of the invention (9) 1 0 1 When you want to browse a website protected by security control for the first time, the security control system 104 will ask the user to enter an identification code that can identify him, Account or password, and then the website security control system 丨 〇4 according to the scope authorized by this user worker 〇j allows the user's request to access the web page through the web server until the user logs out 101 ( si gn ou t), if the user wants to access the site again after logging out, the user identity needs to be re-verified, and if the user does not have any access action after a certain period of time after logging in, it will also be secure by the site Control system 1 04 forced logout to ensure the purpose of security control ^ This invention does not need to change any code under the original website structure, but in doing so, consider and detect that it will be received by the web server Order 'and the authority set by the website security controller system 104 to control this request. The second figure is used to describe a comparative embodiment of the website security control system of the present invention. A website security control system 2000 includes at least the following functional modules, a parser 201, and a verification module. 202, a corner group module 204, a permission control module 206, a modification module 208, and a connection module 210. '/ Λ The above parsing module 2 0 1 will cry on the web server 2 2 2 Request containing a uniform resource locator (URL) Before 20, first ^ this request j〇' 'Parse analysis to interpret the The Uniform Resource Locator (URL), Internet address (Ipaddress), and other information included in request 20 are included in the 'Internet address as described in the computer>

564625 五、發明說明(10) 網路上的住址,其表達方式是以四個數字碼做為代表,數 字範圍從0到2 5 0,分為A到E五個等級。 接下來’如果使用者未登入(s i g n i η )此網站安全 控管系統2 0 0,則驗證模組2 0 2會要求使用者進入登入動 作。如使用者完成登入後,驗證模組2 〇 2會記錄該使用者 ^登入過,而不必每發出一要求就需登入一次,同時驗證 ,12 0 2可針對一些預設的網際網路位址,使得來自這些 二IV、、,路位址(丨p a d d r e s s )的要求可以不必驗證身份, ^ ί疋針對來自這些網際網路位址(IP address )的所有 要求皆予以拒絕。 有一證模組2 0 2的使用I,會於角色群組模組204中 但是於同—雜&的貝,或疋不屬於任何群組的一成員, 群組裡的所右^的/角,可具有-樣的權限’“方便對該 用以規定於自& 進行權限控管,而權限控制模組2〇6則 資料的權限。囡:杈組2 〇 4中各角色或是群組可以存取 20 6可以定義個過角色群組模組204及權限控制模組 用權限,因此太使用者於此網站安全控管系統200中的使 別使用者的使用^之網站f全控管系統200可以根據個 者,本發明亦可j ^,而控官使用者可以讀取的網頁。再 設定由此網際_^對預設的網際網路位址(IP address) 罔路位址所發出之要求的權限範圍,而不偈 564625564625 V. Description of the invention (10) The address on the Internet is represented by four numeric codes. The number ranges from 0 to 2 50 and is divided into five levels A to E. Next, if the user is not logged in (s i g n i η) of this website security control system 2 0 0, the authentication module 2 0 2 will require the user to enter the login action. If the user completes the login, the authentication module 2 will record the user ^ login, instead of having to log in every time a request is issued, and verify at the same time, 12 0 2 can be targeted at some preset Internet addresses , So that the requests from these two IV ,, and p addresses can not be verified, and all requests from these IP addresses are rejected. There is a use module I of 002, which will be used in the character group module 204 but will be in the same-Miscellaneous & or a member who does not belong to any group, the right of the group / Corner, you can have -like permissions' "to facilitate the control of permissions for self-amplification, and the permission control module 206 is the authority of the data. 囡: each role in the group 2 04 or Groups can access 20 6 can define a role group module 204 and permissions control module permissions, so too users in this website security control system 200 to make use of other users ^ website f The control system 200 can be based on the individual, and the present invention can also be used, and the webpage that the controller user can read. Then set this Internet_ ^ to the preset Internet address (IP address) 罔 road position The scope of authority of the request issued by the

限於只能針對使用者設定其權限。 稱,接模組21G,係取得網站所使用的變數名 =耠供该變數名稱給解析模組201於進行解析時使 ’因此解析模組201於解讀此要求20時,可 中所白人从-丄 J从對要求2 0 々匕3的芩考變數進行預先的偵測與過滹 牯硖傲叙1 L 〜、而對於具有 :殊艾數的要求予以攔阻或是變[以達到安全控制的目 此外,修改模組2 08 (modifier)則可以對驗證模組 M2、角色群組模組2〇4及權限控制模組2〇6進行必要的資 料修改,例如修改其所屬群組或是其權限範圍等等。貝 第三圖用以說明本發明之較佳實施例之一運作流程, 首先對使用者所發出之要求(request)取得其url (Uniform Resource Locator,統一資源定位、哭)3〇 〇。 一般來說,統一資源***(URL )係指明某物°件所在位 置的標準方式’而所謂某物件’則通常指於網際網路 (Internet)上的網頁(web page)。全球資訊網(www )以統一資源***(URL )作為網址的格式,在超文件 標示語言文件中,利用統一資源***(URL )來指定超 鍵結(Hyperlink)的目標位置,通常這個目標位置就是 另一個超文件標示語言文件,而且還可能儲存在另一台電 腦上。 口Limited to users whose permissions can only be set. It is said that the connection module 21G is to obtain the variable name used by the website = 耠 for the variable name to the analysis module 201 when performing the analysis, so when the analysis module 201 interprets this request 20, the white people in the center can-丄 J conducts pre-detection and inspection of test variables that require 2 0 々 3, and arbitrates 1 L ~, and requests that have: special number are blocked or changed [in order to achieve safety control In addition, the modification module 2 08 (modifier) can make necessary data modifications to the authentication module M2, the role group module 204, and the permission control module 206, such as modifying its group or its Scope of authority, etc. The third diagram is used to explain the operation flow of one of the preferred embodiments of the present invention. First, the user requests its request (request) to obtain its URL (Uniform Resource Locator), which is 300. Generally, a Uniform Resource Locator (URL) is a standard way of specifying the location of something, and the so-called "object" is usually a web page on the Internet. The World Wide Web (www) uses the Uniform Resource Locator (URL) as the format of the web address. In the Hypertext Markup Language file, the Uniform Resource Locator (URL) is used to specify the target location of the Hyperlink. Usually this target The location is another hypertext markup language file, and may also be stored on another computer. mouth

第15頁 564625 五、發明說明(12) 接下來,判斷該統一資定 進入301,其被梵止 、"、曰σσ (URL)是否被禁止 address )被封:或θ甘、大可能疋因為網際網路位址(IP 要求使得系統產生5一疋〃他預设的限制條件。被拒絕3 02的 |但是另一個情況是°心,告知使用者此要求不被接受。 (URL· )確定為貝 口此田此統一資源*** 進行其他的動作,取後303,則安全控管系統不會再 (u…要允許包含此統-資源*** 統-資源***⑽L ):或:資料30 9。如果此 否完成登入程序3 04,若来制,則接下來需判斷是 ,判斷是否完成連接初始:。5:: = 絕302。 女全控管系統内所使用的變數名此目的為將本發明之 的變數名稱能夠it#,因/ ^ Γ 網站所設計使用 -些系統全域變數名稱,以方便=置時可能使用 統一資源***(URL )亦會視需的"'八體執行運作,而 於統一資源***(URL )中。要而包έ這些變數名稱 而本發明之安全控管系統的牯 網站而可以達到控管之目的 即為不需更改原 初始化30 5,如果未初始化則會。乎此叫本發去明會偵測判斷是否 連接原網站設計時所使用的變數連接模組3〇6,用以 可以了解原網站使用的變數名 冉°襄本安全控官系統 僻’以達到控管之目的。Page 15 564625 V. Description of the invention (12) Next, determine whether the unified asset has entered 301, and it has been blocked by Vatican, ", whether σσ (URL) is forbidden address): or θ Gan, most likely 疋Because the Internet address (IP request caused the system to generate 5 other preset restrictions. It was rejected 3 02's | but the other case is the heart, telling the user that this request is not accepted. (URL ·) OK Perform other actions for this uniform resource locator in Beikou, and after taking 303, the security control system will no longer (u ... to allow inclusion of this system-resource locator system-resource locator ⑽L): or: data 30 9. If this completes the login process 3 04, if it is made, then the next step is to determine whether to complete the initial connection: 5 :: = 302. The variable name used in the women's overall control system for this purpose In order to enable the variable name of the present invention to be it #, the system design of some website global variable names is used for convenience. It is possible to use a uniform resource locator (URL) when setting. Entity performs operations, and in the Uniform Resource Locator (URL) To include the names of these variables and the website of the security control system of the present invention to achieve the purpose of control, it is not necessary to change the original initialization 30 5, if it is not initialized, it is called the present to the Minghui Detect and determine whether to connect to the variable connection module 3006 used in the original website design to understand the variable name used in the original website. This security control system is remote, so as to achieve the purpose of control.

Η 第16胃 564625Η 16th stomach 564625

於通過以上所述之步驟後,接下來取得此 位器(狐)所屬使用者的角色3Q7,或是使用 】= 組,如此可以得知此使用者被授權存取的範圍,铁子 J授權存:的範圍是否允許其存取欲存取之資源繼,:-果-切符合此使用者的權限範圍,貝j統一資源定位哭 URL)通過本發明之安全控管系統,允許 - 存取其目的資源30 9,也就是其欲存取的網 五、發明說明(13) 或疋貧料。 本發明主要目 不需變更即可得到 收前即先行過濾並 制,並可以單一網 來管理使用者的權 組,以方便管理個 的為對於已經存在的 安全控制的目的,並 偵測此要求(reques 頁為基本的控制單位 限範圍,亦可將將使 別使用者的權限。 程式碼或網站架構 且於網站伺服器接 t ),並加以控 ,而且以角色身份 用者聚集成一群 ^以上所述僅為本發明之較佳實施例而已,並非用以限 二毛明之中睛專利範圍;凡其它未脫離本發明所揭示之 H:所兀成之等效改變或修飾,均應包含在下述之申請 寻刊範圊內。 564625 圖式簡單說明 第一圖顯示本發明之安全控管系統的一實施架構圖; 第二圖說明本發明之安全控管系統的一較佳實施例;及 第三圖用以說明本發明之安全控管系統的一較佳運作流 程。 主要部分之代表符號: 1 0 0 網站伺月良器 1 0 1使用者 1 0 2 要求 1 0 3 網頁 1 0 3 a 網頁1 1 0 3 b 網頁2 1 0 4 安全控管系統 1 0 5 回應 20 要求 2 0 0 安全控管系統 2 〇 1 解析模組 2 0 2 驗證模組 2 0 4角色群組模組 2 0 6 權限控制模組 2 0 8 修改模組 2 1 0連接模組After going through the steps described above, next get the role 3Q7 of the user to which this device (fox) belongs, or use] = group, so you can know the scope of this user's authorized access, Tiezi J authorized Whether to save the scope of access to the resources it wants to access, then:-fruit-cut in line with the scope of this user's authority, unified resource location cry URL) through the security control system of the present invention, allow-access Its target resource is 30 9, which is the network it wants to access. 5. Description of the invention (13) or poor material. The main purpose of the present invention is to obtain filtering and control before receiving without changing, and can manage the user's rights group on a single network to facilitate the management of the existing security control purposes and detect this requirement. (The reques page is a basic control unit with limited scope. It can also give other users permissions. The code or website structure and access to the web server t), and control, and as a role users gather into a group ^ The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of Er Maoming's patent. Any other equivalent changes or modifications that do not depart from the H: disclosed in the present invention should be included below. The application mentioned in the publication can be found in the journal. 564625 Brief description of the diagram The first diagram shows an implementation architecture diagram of the security control system of the present invention; the second diagram illustrates a preferred embodiment of the security control system of the present invention; and the third diagram is used to illustrate the present invention. A preferred operation process of the security control system. The main part of the symbol: 1 0 0 Website service month 1 1 1 user 1 0 2 request 1 0 3 web page 1 0 3 a web page 1 1 0 3 b web page 2 1 0 4 security control system 1 0 5 response 20 Requirement 2 0 0 Security control system 2 〇1 Analysis module 2 0 2 Authentication module 2 0 4 Role group module 2 0 6 Permission control module 2 0 8 Modify module 2 1 0 Connect module

第18頁 564625 圖式簡單說明 3 0 0〜3 0 9 流程步驟方塊 ΙΗΗΙΙΙΙ 第19頁Page 18 564625 Brief description of the drawings 3 0 0 ~ 3 0 9 Blocks of process steps ΙΗΗΙΙΙΙ page

Claims (1)

564625 六、申請專利範圍 I 一種對存取網站(Web si te )資料之要求 request 進行安全控管的方法,包含 取得一要求(request )中的統—資源*** (Uniform Resource Locator, URL) · 驗證發出該要求的使用者身份; 取得該使用者所屬之角色; 取得對應該角色被授權以存取該網站的權限範圍;及 根據该權限範圍允許存取儲存於該網站中的一資料, 且5亥資料係為由該統一資源***所指定的目的資源。 2·如申請專利範圍第1項所述之安全控管方法,其中上述 之資料至少包含一網頁。 3.如申請專利範圍第1項所述之安全控管方法,更可取得 該要求(request)中之一網際網路位址(ip address 4 ·如申請專利範圍第3項所述之安全控管方法,更可鎖定 至少一網際網路位址(I p a d d r e s s ),用以拒絕來自該網 際網路位址(IP address)的任何一要求(request)存 取該網站。 5 ·如申凊專利範圍第1項所述之安全控管方法,其中上述 之驗證該使用者身份為要求該使用者輪入一帳號及一密564625 6. Scope of Patent Application I A method for security control of a request request for accessing Web site data, including obtaining a Uniform Resource Locator (URL) in a request Verifying the identity of the user who issued the request; obtaining the role to which the user belongs; obtaining the scope of authority corresponding to the role being authorized to access the site; and allowing access to a piece of data stored in the site according to the scope of authority, and 5H data is the destination resource specified by the uniform resource locator. 2. The security control method as described in item 1 of the scope of patent application, wherein the above information includes at least one web page. 3. The security control method described in item 1 of the scope of patent application can also obtain one of the Internet addresses (ip address 4 in the request). · The security control described in item 3 of the scope of patent application The method can lock at least one Internet address (I paddress) to deny access to the website from any request from the Internet address (IP address). 5 · If you apply for a patent The security control method described in the first item of the scope, wherein the verification of the user's identity mentioned above requires the user to rotate an account and a password. 第20頁 564625 六、申請專利範圍 碼。 6 ·如申請專利範圍第5項所述之安全控管方法,其中上述 之要求該使用者輸入一帳號及一密碼動作,只需在該使用 者於初次存取該網站時進行即可。 7 ·如申請專利範圍第1項所述之安全控管方法,更可針對 一預設的網際網路位址(IP address ),設定由該網際網 路位址所發出之要求所具有的權限範圍。 8· —種對存取網站(Web site)資料之要求(request) 進行過濾(fi Iter )之安全控管系統,包含: 一解析模組(parser ),用以解析一要求(request )中所包含之一統一資源***(URL )及一網際網路位 址(IP address); 一 %證模組,係提供登入程序用以驗證發出該要求的 一使用者的身份; 角色群組模組,該使用者係具有一角色(r 〇 1 e )身 份於色群組模組中,且每個使用者具有不同的角色; i Φ嫜:ί :控制模組,係、用以設定該角色所具有的權限, 二π =二2用以表示該使用者被允許於一網站中進行存取 :二二:Γ,且具相同權限的角色可形成一群組(group )於該角色群組模組中;及 連接模組’係連接該網站所使用的變數名稱,並提Page 20 564625 VI. Patent Application Range Code. 6 · The security control method as described in item 5 of the scope of patent application, wherein the above action of requiring the user to enter an account and a password is only required when the user first accesses the website. 7 · According to the security control method described in item 1 of the scope of patent application, the authority of a request issued by the Internet address can be set for a preset Internet address (IP address) range. 8 · —A security control system for filtering (fi Iter) requests for accessing Web site data, including: A parser module for parsing a request in a request Contains a uniform resource locator (URL) and an Internet address (IP address); a% certificate module, which provides a login process to verify the identity of a user who issued the request; a role group module , The user has a role (r 〇1 e) in the color group module, and each user has a different role; i Φ 嫜: ί: control module, used to set the role The permission, two π = two 2 is used to indicate that the user is allowed to access in a website: two two: Γ, and roles with the same permissions can form a group (group) in the role group In the module; and the connection module 'is the variable name used to connect to the website, and 564625564625 六、申請專利範圍 供該變數名稱給該解析模組於進行解析時使用 •如申請專利範圍第8項所述之安全控管系統,更可包含 修改模組,係用以修改該解析模組、該驗證模組、該角 色群組模組、該權限控制模組、及該連接模組之設定。 1 〇 ·如申请專利範圍第8項所述之安全控管系統,更可預先 设定至少一網際網路位址(IP address ),使得來自該網 際網路位址(IP address)的要求可通過該安全控管系統 而直接存取該網站。 1 1 ·如申請專利範圍第8項所述之安全控管系統,更可預先 設定至少一網際網路位址(IP address ),使得來自該網 際網路位址(IP address )的要求皆予以拒絕。 1 2 ·如申請專利範圍第8項所述之安全控管系統,其中上述 之權限控制模組更可對一群組設定其權限範圍,使得該群 組所包含的角色具有相同的權限。 1 3 · —種過濾存取網頁要求之方法,包含: 接收一要求,該要求為一超文件傳輸協定要求 (Hypertext Transport Protocol request, HTTP request ); 驗證發出該要求之一使用者身份;6. The scope of the patent application is for the name of the variable to be used by the analysis module for analysis. • The security control system described in item 8 of the scope of patent application can also include a modification module to modify the analysis module. , The verification module, the role group module, the permission control module, and the connection module settings. 1 〇 · The security control system described in item 8 of the scope of patent application, can also set at least one Internet address (IP address) in advance, so that the request from the Internet address (IP address) can be Direct access to the website through the security control system. 1 1 · According to the security control system described in item 8 of the scope of patent application, at least one Internet address (IP address) can be set in advance, so that requests from the Internet address (IP address) are given. Refuse. 1 2 · The security control system described in item 8 of the scope of patent application, wherein the above authority control module can further set its authority scope for a group, so that the roles included in the group have the same authority. 1 3 · A method for filtering requests for accessing a webpage, including: receiving a request, the request being a Hypertext Transport Protocol request (HTTP request); verifying the identity of a user who issued the request; 564625 六 申清專利範圍 取得該使用者所屬之角色(role),該角色用以表示 該使用者的存取權限,並且具有相同權限的角色可形成^二 群組(group );及 该要求依據該使用者的權限存取一目標網頁。 1 4 ·如申請專利範圍第1 3項所述之一種過濾存取網頁要求 之方法’更可發出一訊息要求未通過驗證之使用者進行_ 1 5 ·如申請專利範圍第1 3項所述之一種過濾存取網頁要求 之方法,更可鎖定至少一預設的網際網路位址(I P address),用以拒絕由該網際網路位址(Ip address) 所發出之任何要,托。564625 Six patent applications for the role (role) to which the user belongs, the role is used to indicate the user's access permissions, and roles with the same permissions can form ^ two groups (group); and the basis for this request The user has access to a landing page. 1 4 · As described in item 13 of the scope of patent application, a method for filtering access to web pages is required. 'More can send a message requesting users who have not passed the verification _ 1 5 · As described in item 13 of the scope of patent application A method for filtering requests for accessing a webpage can further lock at least one preset Internet address (IP address) to reject any request issued by the Internet address (IP address). 第23頁Page 23
TW91111787A 2002-05-31 2002-05-31 Method and system for filtering requests to a web site TW564625B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW91111787A TW564625B (en) 2002-05-31 2002-05-31 Method and system for filtering requests to a web site

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW91111787A TW564625B (en) 2002-05-31 2002-05-31 Method and system for filtering requests to a web site

Publications (1)

Publication Number Publication Date
TW564625B true TW564625B (en) 2003-12-01

Family

ID=34617917

Family Applications (1)

Application Number Title Priority Date Filing Date
TW91111787A TW564625B (en) 2002-05-31 2002-05-31 Method and system for filtering requests to a web site

Country Status (1)

Country Link
TW (1) TW564625B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103268257A (en) * 2012-07-23 2013-08-28 威盛电子股份有限公司 Hardware resource access system and method for accessing hardware resource of electric device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103268257A (en) * 2012-07-23 2013-08-28 威盛电子股份有限公司 Hardware resource access system and method for accessing hardware resource of electric device
US9253249B2 (en) 2012-07-23 2016-02-02 Via Technologies, Inc. Hardware resource accessing systems and methods for accessing hardware resources in browser-based operating systems and machine-readable storage medium thereof
US9420040B2 (en) 2012-07-23 2016-08-16 Via Technologies, Inc. Hardware resource accessing systems and methods for accessing hardware resources in browser-based operating systems and machine-readable storage medium thereof
CN106293965A (en) * 2012-07-23 2017-01-04 威盛电子股份有限公司 The method of the hardware resource of hardware resource access system and access electronic installation thereof

Similar Documents

Publication Publication Date Title
US11706218B2 (en) Systems and methods for controlling sign-on to web applications
CN104255007B (en) OAUTH frameworks
US7424543B2 (en) System and method of permissive data flow and application transfer
EP2580673B1 (en) Online business method, system and apparatus based on open application programming interface
CN101663671B (en) Authorization for access to web service resources
TWI400922B (en) Authentication of a principal in a federation
US9684628B2 (en) Mechanism for inserting trustworthy parameters into AJAX via server-side proxy
JP2005317022A (en) Account creation via mobile device
JP2011530740A (en) Form entry and automatic password generation using digital ID
US20040010710A1 (en) Method and system for filtering requests to a web site
US7234158B1 (en) Separate client state object and user interface domains
US20020194262A1 (en) System and method for controlling the interruption and resumption of access to WWW pages requiring certain prerequisites
US20210397682A1 (en) Secure Service Interaction
JPH08314863A (en) Security system in computer network
CN101496022B (en) Method for providing protected access of corresponding program
JP2002149605A (en) Procuration device and method for authentication and recording medium
TW564625B (en) Method and system for filtering requests to a web site
JPH11212849A (en) Common file transmission and reception system, and access right discrimination device
CN112836186A (en) Page control method and device
JPH11272613A (en) User authentication method, recording medium stored with program for executing the method, and user authentication system using the method
JP4712989B2 (en) Information distribution server device
JP2005339008A (en) Access control method and program, and recording medium
JP5708131B2 (en) ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, AUTHENTICATION DEVICE AND ITS PROGRAM, AND SERVICE PROVIDING DEVICE
JP4837060B2 (en) Authentication apparatus and program
Ying Research on multi-level security of shibboleth authentication mechanism

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent
MM4A Annulment or lapse of patent due to non-payment of fees
MM4A Annulment or lapse of patent due to non-payment of fees