WO2022193494A1 - Procédé de commande de permission, serveur, terminal, support de stockage et programme d'ordinateur - Google Patents

Procédé de commande de permission, serveur, terminal, support de stockage et programme d'ordinateur Download PDF

Info

Publication number
WO2022193494A1
WO2022193494A1 PCT/CN2021/105569 CN2021105569W WO2022193494A1 WO 2022193494 A1 WO2022193494 A1 WO 2022193494A1 CN 2021105569 W CN2021105569 W CN 2021105569W WO 2022193494 A1 WO2022193494 A1 WO 2022193494A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
file
server
path
terminal device
Prior art date
Application number
PCT/CN2021/105569
Other languages
English (en)
Chinese (zh)
Inventor
王之龙
郑猛猛
杨子骁
徐伟伟
Original Assignee
上海商汤智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海商汤智能科技有限公司 filed Critical 上海商汤智能科技有限公司
Priority to KR1020227014600A priority Critical patent/KR20220130088A/ko
Publication of WO2022193494A1 publication Critical patent/WO2022193494A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Definitions

  • the present application relates to the field of authority control, and in particular, to an authority control method and a server, a terminal, a storage medium and a computer program.
  • the server controls the access authority to the file, it can be understood that the server only allows the user to perform the first operation after verifying that the user has the authority to perform the first operation on the file accessed by the server.
  • the first operation may include at least one of read-only, write, modify, delete, and the like.
  • the server verifies whether the user has the right to modify the online file. If the server verifies that the user has the right to modify the online file, it will execute the corresponding operation according to the modification instruction; otherwise, it will refuse to execute the modification instruction.
  • the server usually verifies whether the user has the right to perform an operation on the document it accesses by querying the user's permission information.
  • it usually takes a long time to query the user's permission information, which leads to a long time to verify the user's permission and poor user experience. Therefore, there is a need to investigate ways to verify a user's permissions more quickly.
  • the embodiments of the present application disclose an authority control method, a server, a terminal, a storage medium and a computer program.
  • an embodiment of the present application provides an online file permission control method.
  • the method includes: a server receives a first file operation request from a terminal device; the first file operation request is used to request permission for a first path
  • the file performs a first operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, the Both the first path and the second path are paths in the file management system run by the server; when the first file operation request satisfies the first condition, the server executes the first file operation request on the file.
  • An operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path.
  • the time taken by the server to determine whether the first file operation request satisfies the first condition is less than the time taken to verify whether the user (corresponding to the terminal device) has the right to perform the first operation on the file of the first path.
  • the server performs the first operation on the file when the first file operation request satisfies the first condition; there is no need to query the permission information of the user (corresponding to the terminal device), and the user's permission can be verified more quickly , so as to respond to the first file operation request faster.
  • the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the within the validity period.
  • the validity period of the first token may be used to determine the validity of the first token. It should be understood that if the time when the server receives the first token (that is, the time when the first file operation request is received) is within the validity period of the first token, the first token is valid; otherwise, the first token is valid invalid.
  • the first condition further includes: the server can quickly and accurately determine that the token is valid when the time when the server receives the first file operation request is within the validity period.
  • the server may set different validity periods according to different permissions (corresponding to the first operation set). For example, for some high-risk operations such as modification and deletion of files, the validity period of the token will be set as short as possible; for some permissions to view files, the validity period can be relaxed.
  • the method before the server performs the first operation on the file, the method further includes: the server performs a legality check and a validity check on the first token ;
  • the validity check is to check whether the time when the server receives the first file operation request is within the validity period; in the case that the first token passes the validity check and validity check
  • the server verifies whether the first operation is included in the first operation set and whether the second path includes the first path.
  • the first token is checked for validity and validity, and if the first token passes the validity check and validity check, it is then checked whether the first operation includes In the first operation set and whether the second path includes the first path; it can be reduced to verify whether the first operation is included in the first operation set and whether the second path includes the first path.
  • the method before the server receives the first file operation request from the terminal device, the method further includes: the server generates the first token; the server sends the first token to the terminal device first token.
  • the server sends the first token to the terminal device, so that the terminal device can generate the required file operation request by using the first token.
  • the generating, by the server, the first token includes: generating, by the server, an initial token; encrypting the initial token based on the HMACSHA256 algorithm to obtain the first token; wherein, the The server can store the secret (Secret).
  • the generation of the initial token by the server may be: the server uses JSON Web Token (JWT for short) to generate the initial token; wherein, JWT is a currently popular cross-domain authentication solution.
  • the initial token is encrypted based on the HMACSHA256 algorithm to obtain the first token; the content of the first token cannot be deciphered externally, and the forgery of the first token is avoided, and the security is high.
  • the method before the server generates the first token, the method further includes: the server receives a token acquisition request from the terminal device, and the token acquisition request is used for Obtain the token required for the first operation on the file of the first path; the server obtains, according to the token obtaining request, the role permission information of the target account logged in by the terminal device; the target account The account used for logging in the file management system for the terminal device; and generating the first token by the server includes: the server generating the first token according to the role permission information.
  • the server generates the first token according to the role permission information; the first token matching the role permission information can be quickly generated.
  • the method before the server receives the token acquisition request from the terminal device, the method further includes: the server uses the target account to log in to the file management system through the terminal device receiving the token acquisition request from the terminal device by the server includes: receiving, by the server, an access operation by the terminal device to the file of the first path in the file management system.
  • the server may perform login authentication on the target account by verifying the target account and password used by the terminal device to log in to the file management system.
  • the access operation may be an operation of selecting the file of the first path by the terminal device, for example, an operation of clicking the file of the first path.
  • the server when the server receives the terminal device's access operation to the file of the first path in the file management system, it can be regarded as receiving a token acquisition request from the terminal device, and a corresponding token can be generated in time.
  • the method further includes: the server receives a second file operation request from the terminal device; the second file operation request is used to request to perform a second operation on the file of the third path , the second file operation request carries a second token, the second token includes a fourth path and a second operation set, and the second operation set includes at least one operation; If the request does not meet the second condition, the server rejects the second file operation request; the second condition includes: the second token passes the validity check of the server, the second operation Included in the second set of operations and the fourth path includes the third path.
  • the server rejects the second file operation request when the second file operation request does not meet the second condition; it does not need to verify the authority of the user (corresponding to the terminal device), and the user can be verified more quickly , and respond faster to the second file operation request.
  • the second token further includes a validity period of the second token; the second condition further includes: the time when the server receives the second file operation request is within the within the validity period of the second token.
  • the second condition further includes: the time when the server receives the second file operation request is within the validity period of the second token, and can quickly and accurately determine that the token is valid.
  • the validity period of the token by setting the validity period of the token, the adverse effects caused by the leakage of the token can be reduced.
  • the files of the first path are partial files in the same directory, and the first operation set includes at least one of creating, modifying, locking, deleting, moving, and hiding.
  • the files in the first path may be any files, not all files in the entire directory. That is, the path can match any directory or file of the user.
  • the file in the first path can be any file, which can support more business scenarios; the first operation set includes: at least one of creating, modifying, locking, deleting, moving, and hiding, which can achieve more access control.
  • the path can be customized in the token, and the operation authority can be customized in the token, such as creating, modifying, locking, deleting, moving, and hiding.
  • an embodiment of the present application provides another method for controlling permissions of an online file, including: a terminal device generating a first file operation request; the first file operation request is used to request to execute the first file operation operation, the first file operation request carries a first token, the first token includes a second path, a first operation set, the first operation set includes at least one operation, the first path and The second paths are all paths in the file management system run by the server, and the first token is used by the server to verify whether the terminal device has the ability to execute the first token on the files in the first path.
  • an operation authority the terminal device sends the first file operation request to the server.
  • the terminal device sends a first file operation request carrying the first token to the server, so that the server can use the first token to quickly and accurately verify whether the terminal device (corresponding to the user) is capable of Permission to perform the first operation on a file with a path.
  • the first token further includes a validity period of the first token, and the validity period is used to verify the validity of the first token.
  • the first token further includes the validity period of the first token, so that the server can verify the validity of the first token.
  • the method before the terminal device generates the first file operation request, the method further includes: acquiring, by the terminal device, the first token cached by the browser or client application;
  • the first file operation request includes: generating, by the terminal device, the first file operation request based on the first token.
  • the terminal device can quickly acquire the first token, so as to quickly generate the first file operation request.
  • the method before the terminal device generates the first file operation request, the method further includes: the terminal device sends a token acquisition request to the server, where the token acquisition request is used to and the terminal device receives the first token from the server and caches the first token.
  • the terminal device can quickly acquire the first token by sending a token acquisition request to the server.
  • the method before the terminal device sends a token acquisition request to the server, the method further includes: the terminal device uses a target account to log in to the file management system;
  • the sending of the token acquisition request by the server includes: in response to the user's access operation on the file of the first path in the file management system, sending the token acquisition request to the server.
  • the token acquisition request may be sent in time.
  • the files of the first path are partial files in the same directory
  • the first operation set includes at least one of creating, modifying, locking, deleting, moving, and hiding.
  • the file in the first path can be any file, which can support more business scenarios;
  • the first operation set includes: at least one of creating, modifying, locking, deleting, moving, and hiding, which can achieve more access control.
  • an embodiment of the present application provides a server, including: a transceiver unit configured to receive a first file operation request from a terminal device; the first file operation request is used to request to execute a first file operation request on a file of a first path An operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the second path are both paths in the file management system run by the server; the processing unit is configured to execute the first file operation request on the file when the first file operation request satisfies the first condition operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path .
  • the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the within the validity period.
  • the processing unit is further configured to perform validity check and validity check on the first token; the validity check is to check that the server receives the Whether the time of the first file operation request is within the validity period; if the first token passes the validity check and validity check, verify whether the first operation is included in the first operation set and whether the second path includes the first path.
  • the processing unit is further configured to generate the first token; the transceiver unit is further configured to send the first token to the terminal device.
  • the processing unit is configured to encrypt the initial token based on the HMACSHA256 algorithm to obtain the first token.
  • the processing unit is configured to use JSON Web Token to generate the initial token.
  • the transceiver unit is further configured to receive a token acquisition request from the terminal device, where the token acquisition request is used to acquire the first path for the file in the first path. the token required for the operation; the processing unit is further configured to acquire, according to the token acquisition request, the role permission information of the target account logged in by the terminal device; the target account is for the terminal device to log in to the file an account used by the management system; the processing unit is configured to generate the first token according to the role permission information.
  • the processing unit is further configured to use the target account to log in to the file management system through the terminal device for login authentication; the transceiver unit is configured to receive the access operation of the file of the first path in the file management system.
  • the transceiver unit is further configured to receive a second file operation request from the terminal device; the second file operation request is used to request to perform a second operation on the file of the third path,
  • the second file operation request carries a second token, the second token includes a fourth path and a second operation set, and the second operation set includes at least one operation;
  • the processing unit is further configured to In the case that the second file operation request does not meet the second condition, the second file operation request is rejected; the second condition includes: the second token passes the validity check of the server, and all The second operation is included in the second operation set and the fourth path includes the third path.
  • the files of the first path are partial files in the same directory
  • the first operation includes at least one of creating, modifying, locking, deleting, moving, and hiding.
  • an embodiment of the present application provides a terminal device, including: a processing unit configured to generate a first file operation request; the first file operation request is used to request to perform a first operation on a file of a first path,
  • the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the
  • the second paths are all paths in the file management system run by the server, and the first token is used by the server to verify whether the terminal device has the capability to perform the first operation on the files in the first path.
  • the right of the server a transceiver unit, configured to send the first file operation request to the server.
  • the first token further includes a validity period of the first token, and the validity period is used to verify the validity of the first token.
  • the processing unit is further configured to acquire the first token cached by the browser or client application; the processing unit is configured to generate the first token based on the first token The first file operation request.
  • the transceiver unit is further configured to send a token acquisition request to the server, where the token acquisition request is used to acquire the information required for performing the first operation on the file of the first path. required token; receive the first token from the server, and cache the first token.
  • the processing unit is further configured to log in to the file management system using a target account; the transceiver unit is further configured to respond to the user's request for the first path in the file management system the access operation of the file, and send the token acquisition request to the server.
  • the files of the first path are partial files in the same directory
  • the first operation includes at least one of creating, modifying, locking, deleting, moving, and hiding.
  • an embodiment of the present application provides a server, where the server includes: a memory for storing a program; a processor for executing the program stored in the memory, and when the program is executed, the The processor is configured to execute the method as described above in the first aspect and any of the possible implementations.
  • an embodiment of the present application provides a terminal device, the terminal device includes: a memory for storing a program; a processor for executing the program stored in the memory, when the program is executed, The processor is configured to execute the method as described above in the second aspect and any possible implementation manner.
  • an embodiment of the present application provides a chip, the chip includes a processor and a data interface, the processor reads an instruction stored in a memory through the data interface, and executes the first aspect above and any of the possible method of implementation.
  • an embodiment of the present application provides a chip, the chip includes a processor and a data interface, the processor reads an instruction stored in a memory through the data interface, and executes the second aspect and any of the possible method of implementation.
  • an embodiment of the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute the above-mentioned No. Aspects and methods of any possible implementation.
  • an embodiment of the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and when executed by a processor, the program instructions cause the processor to execute the above-mentioned first step.
  • an embodiment of the present application provides a computer program, including computer-readable code, when the computer-readable code is executed in a server, the processor in the server executes the program to implement the above-mentioned first aspect and a method for any possible implementation.
  • an embodiment of the present application provides a computer program, including computer-readable code, when the computer-readable code is run in a terminal device, a processor in the terminal device executes the program for implementing the above-mentioned first Aspects and methods of any possible implementation.
  • Embodiments of the present application provide an authority control method, a server, a terminal, a storage medium, and a computer program.
  • the server receives a first file operation request from a terminal device; the first file operation request is used to request a file in a first path.
  • Execute a first operation the first file operation request carries a first token, the first token includes a second path and a first operation set, the first operation set includes at least one operation, and the first operation set includes at least one operation.
  • Both the first path and the second path are paths in the file management system run by the server; when the first file operation request satisfies the first condition, the server executes the first file operation request on the file.
  • the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path In this way, there is no need to query the permission information of the user (corresponding to the terminal device), the permission of the user can be verified faster, and the first file operation request can be responded faster.
  • FIG. 1 is a flowchart of a method for controlling the authority of an online file provided by an embodiment of the present application
  • FIG. 2 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application
  • FIG. 3 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application.
  • FIG. 5 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application.
  • FIG. 6 is an interactive flowchart of an online file permission control method provided by an embodiment of the present application.
  • FIG. 7 is an interactive flowchart of another online file permission control method provided by an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a server according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a server provided by an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of another terminal device 110 provided by an embodiment of the present application.
  • FIG. 12 is a block diagram of a partial structure of a terminal device provided by an embodiment of the present application.
  • the currently generally adopted method of access authority control is as follows: whether the user has the authority to perform an operation on the document accessed by the user is verified by querying the authority information of the user. However, it usually takes a long time to query the user's permission information, which leads to a long time to verify the user's permission and poor user experience.
  • the embodiment of the present application provides a permission control scheme for online files, and the user's permission is verified by means of a token, so that the user's permission can be verified more quickly.
  • the online file authority control method provided by the embodiment of the present application can be applied to the scene of editing an online file.
  • the application of the online file authority control method provided by the embodiment of the present application in the scenario of editing an online file is briefly introduced below.
  • the terminal device edits (for example, modify, delete, move, lock, etc.) the online files in the file management system running on the server.
  • the user uses a terminal device to log in to the file management system run by the server; the user uses the terminal device to send a file operation request carrying a token to the server, and the file operation request is used to request to perform a certain online file in the file management system.
  • Target operation the server verifies whether the user has the permission to perform the target operation on the online file according to the token; the server performs the target operation on the online file after verifying that the user has the permission to perform the target operation on the file, otherwise, Deny the file operation request.
  • the above-mentioned terminal device may be an intelligent terminal such as a mobile phone, a personal computer, a tablet computer, a wearable device, a personal digital assistant, and an information processing center.
  • the above server may be a server with data processing functions, such as a cloud server, a network server, an application server, and a management server.
  • the above-mentioned server can receive the file operation request from the above-mentioned terminal device through the interactive interface, and then perform corresponding processing through the memory for storing data and the processor for executing data processing.
  • the above-mentioned memory may be a general term, including a database for local storage and storage of historical data, and the above-mentioned database may be on a server or on other network servers.
  • using the online file authority control method provided by the embodiment of the present application can verify the user's authority more quickly, and thus respond to the user's file operation request more quickly.
  • FIG. 1 is a flowchart of an online file permission control method provided by an embodiment of the present application. As shown in FIG. 1 , the steps of the method provided in this embodiment of the present application may be performed by a hardware device such as a server, or performed by a processor running computer-executable code, and the method includes:
  • the server receives a first file operation request from a terminal device.
  • the above-mentioned first file operation request is used to request to perform the first operation on the file of the first path.
  • the above-mentioned first file operation request carries the first token.
  • the above-mentioned first token may be brought into the above-mentioned first file operation request by the terminal device in the form of a request header or a request parameter.
  • the file in the first path may be understood as a file under the first path.
  • the above-mentioned first token includes a second path and a first operation set.
  • the above-mentioned first set of operations includes at least one operation.
  • the above-mentioned first path and the above-mentioned second path are both paths in the file management system running on the above-mentioned server.
  • the above-mentioned first path may be a path corresponding to a directory in the file management system run by the server, or may be a path corresponding to any file in the file management system run by the server, for example, a path corresponding to a file.
  • the second path may be a path corresponding to a directory in the file management system run by the server, or may be a path corresponding to any file in the file management system run by the server, such as a path corresponding to a file.
  • the first path may be the path of a file and the second path may be the path of a file/directory that includes the file.
  • the first path and the second path are the same path.
  • the files in the first path may be all files in a directory, or may be some files in a directory. That is to say, the online file authority control method provided by the embodiment of the present application can precisely control the access authority to any file or folder.
  • At least one operation included in the first operation set can be understood as a file operation that the terminal device that provides the first token can perform on the file of the second path, such as read, create, modify, lock, delete, move, and hide. at least one of.
  • the above-mentioned first operation may be any one of reading, creating, modifying, locking, deleting, moving, hiding, and the like.
  • the operation authority that is, the access authority
  • the token can be customized through the token, such as read, create, modify, lock, delete, Move, hide, etc., to meet diverse needs.
  • the server performs the first operation on the file of the first path.
  • the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes the first path.
  • the server can verify the validity of the first token, which can prevent others from accessing the online file through the forged token.
  • the above-mentioned first token passes the validity check of the above-mentioned server, indicating that the above-mentioned first token is not a forged token.
  • the first token includes the second path and the first operation set, indicating that the terminal device that provides the first token has the authority to perform the operations in the first operation set on the file in the second path.
  • the terminal device must have the right to perform the first operation on the file in the first path.
  • the permission to perform the first operation on the file in the first path can be understood as the permission corresponding to the first file operation request, and the permission to perform each operation in the first operation set on the file in the second path is the permission corresponding to the first token.
  • the server only needs to verify the validity of the first token and whether the authority corresponding to the first file operation request is consistent with the authority corresponding to the first token, and does not need to query the authority information of the terminal device. It can be seen that the server can directly and quickly confirm whether the terminal device has the authority to perform the first operation on the file of the first path according to the above-mentioned first token and the above-mentioned first file operation request. Permission verification is time-consuming, effectively improving file access efficiency.
  • the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the validity period.
  • the validity period of the first token can be used to determine the validity of the first token. It should be understood that if the time when the server receives the first token (that is, the time when the first file operation request is received) is within the validity period of the first token, the first token is valid; otherwise, the first token is valid invalid.
  • the first condition further includes: the server can quickly and accurately determine that the token is valid when the time when the server receives the first file operation request is within the validity period.
  • the server may set different validity periods according to different permissions (corresponding to the first operation set). For example, for some high-risk operations such as modification and deletion of files, the validity period of the token will be set as short as possible; for some permissions to view files, the validity period can be relaxed.
  • the method flow in FIG. 1 can be understood as token-based access authority control, which is decoupled from the login authentication method (ie, the method of logging in to the file management system). That is to say, the access authority control implemented by the method flow in FIG. 1 has nothing to do with the login authentication method.
  • the login authentication methods of different terminal devices may be different, but the permission access control of files can be unified through tokens.
  • the server may also perform the following steps:
  • the server receives the second file operation request from the terminal device.
  • the above-mentioned second file operation request is used to request to perform the second operation on the file of the third path.
  • the second file operation request carries a second token, and the second token includes a fourth path and a second operation set.
  • the above-mentioned second operation set includes at least one operation.
  • the second file operation request is similar to the first file operation request.
  • the server rejects the second file operation request.
  • the second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the fourth path includes the third path.
  • the server rejecting the second file operation request may be: the server sends a response message to the terminal device, where the response message is used to instruct the server to reject the second file operation request.
  • the server rejecting the second file operation request may also mean that the server does not respond to the second file operation request (including not performing the second operation on the file in the third path).
  • the second token further includes the validity period of the second token; the second condition further includes: the time when the server receives the second file operation request is within the validity period of the second token Inside.
  • the server when the server receives a file operation (such as the first file operation request) and satisfies a preset condition (such as the first condition), the server performs an operation corresponding to the file operation request (such as the first operation) on the file,
  • a file operation such as the second file operation request
  • the server rejects the file operation request (the second file operation request); thus the server only needs to verify the file Permission control can be realized by the token carried in the operation, without querying the permission information of the user (corresponding to the terminal device), the user's permission can be verified faster, and the file operation request can be responded faster.
  • FIG. 2 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application.
  • the method flow in FIG. 2 is a refinement and improvement of the method flow in FIG. 1 .
  • the steps of the method provided by the embodiment of the present application may be performed by a hardware device such as a server, or performed by a processor running computer-executable code, and the method includes:
  • the server receives a first file operation request from a terminal device.
  • step 201 is the same as the step 101 .
  • the server performs validity check and validity check on the first token.
  • the validity check is to check whether the time when the server receives the first file operation request is within the validity period.
  • the server may first perform validity check on the first token, and then perform validity check on the first token if the first token passes the validity check.
  • the server may first perform validity verification on the first token, and then perform validity verification on the first token after the first token passes the validity verification.
  • the server may simultaneously (or in parallel) perform validity verification on the first token and perform validity verification on the first token.
  • the server verifies whether the first operation is included in the first operation set and whether the second path includes the first path.
  • the server does not need to verify whether the first operation is included in the first operation set and whether the second path includes the first path, which can avoid useless Process flow.
  • the server performs the first operation on the file of the first path.
  • Step 204 may be the same as step 102 and will not be described in detail here.
  • the first token is checked for validity and validity, and after the first token passes the validity check and validity check, it is then checked whether the first operation is included in the first operation. Whether an operation set and the second path include the first path; it can reduce the verification of whether the first operation is included in the first operation set and whether the second path includes the first operation, and reduce some unnecessary operations, thereby saving verification time. Improve processing efficiency.
  • FIG. 3 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application.
  • the method flow in FIG. 3 is a refinement and improvement of the method flow in FIG. 1 .
  • the steps of the method provided by the embodiment of the present application may be performed by a hardware device such as a server, or performed by a processor running computer-executable code, and the method includes:
  • the server receives a token acquisition request from a terminal device.
  • the above token acquisition request is used to acquire the token required to perform the first operation on the file of the first path.
  • the server can use the terminal device to log in to the file management system it is running for login authentication using the target account; step 301 can be replaced with: the server receives the terminal device's target account for the above-mentioned file management system.
  • the first path of the file access operation For example, the terminal device can use the target account to log in to the file management system run by the server, and the server receives an access operation (eg, an operation of clicking the icon of the file) from the terminal device to the file of the first path in the file management system.
  • the server obtains, according to the token obtaining request, the role permission information of the target account logged in by the terminal device.
  • the above-mentioned target account is an account used by the above-mentioned terminal device to log in to the file management system running on the server.
  • the role permission information of the target account may include the role of the target account and the permission corresponding to the role.
  • the file management system running on the server supports a variety of accounts with different roles. Accounts with different roles have different permissions, that is, a role corresponds to a certain permission.
  • the file management system running on the server supports accounts with three different roles: administrator, ordinary user, and advanced user.
  • the role of the target account is any of these three roles, and the permissions of the target account are those of the target account.
  • the permissions corresponding to the role In this example, the administrator has the most authority, and the ordinary user has the least authority.
  • various roles supported by the file management system running on the server and permissions corresponding to various roles can be set according to actual requirements, so as to more conveniently manage the permissions of accounts with different roles.
  • the server generates a first token according to the role permission information.
  • the server may run a file serving application, which (corresponding to a file management system) may provide file services.
  • the file service maintains a separate key, which is used to encrypt the token.
  • the file service may also provide a token generation interface, which may provide a path (eg, the first path), a set of operations (eg, the first set of operations), and an expiration time parameter (corresponding to the validity period), which can be provided by the caller (eg, the owner of the online file) to customize.
  • the token generation interface can first use JSON Web Token to generate the initial token, and then encrypt the initial token based on the Hash-based Message Authentication Code Secure Hash Algorithm 256 (HMACSHA256) algorithm to obtain the above
  • HMACSHA256 Hash-based Message Authentication Code Secure Hash Algorithm 256
  • the above server may store a secret key (Secret).
  • the file service can verify the token and the operation in the file operation request (for example, the above-mentioned first operation).
  • the server can provide a business gateway service, and the business gateway service can handle authentication tasks, such as authenticating the account and password used by the user to log in to the file management system.
  • the server can also have an independent user center, which is used to maintain the user's basic information and role permission information. After the user logs in to the file management system, the server can call the authentication interface of the user center to verify the user's role and permission information. The server can obtain the user's role permission information through the user center, and call the token generation interface of the file service to obtain the token. The server can be pre-configured with access rights of different role rights information, so calling the token generation interface of the file service can generate tokens that match the rights information of different roles.
  • the server sends the first token to the terminal device.
  • the server receives the first file operation request from the terminal device.
  • the server performs the first operation on the file of the first path.
  • Step 306 may be the same as step 102 and will not be described in detail here.
  • the server may execute steps 202 and 203 in FIG. 2, and then determine whether the first file operation request satisfies the first condition.
  • the server generates the first token, and sends the first token to the terminal device.
  • the server also verifies the validity and legality of the first token.
  • the generation and verification of the first token are uniformly managed and controlled by the server.
  • the server encrypts the initial token generated by the token generation interface based on the HMACSHA256 algorithm to obtain the first token. Others cannot forge the token, which can improve security.
  • the authorization control solution for an online file requires the cooperation of a server and a terminal device to be implemented.
  • the foregoing embodiments describe the method flow performed by the server in the online file permission control solution provided by the embodiments of the present application.
  • FIG. 4 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application. As shown in FIG. 4 , the steps of the method provided by this embodiment of the present application may be executed by hardware devices such as terminal devices, or executed by a processor running computer-executable codes, and the method includes:
  • the terminal device generates a first file operation request.
  • the above-mentioned first file operation request is used to request to perform the first operation on the file of the first path.
  • the first file operation request carries a first token, and the first token includes a second path and a first operation set.
  • the above-mentioned first set of operations includes at least one operation.
  • the above-mentioned first path and the above-mentioned second path are both paths in the file management system running on the above-mentioned server.
  • the above-mentioned first token is used by the above-mentioned server to verify whether the above-mentioned terminal device has the authority to perform the above-mentioned first operation on the file of the above-mentioned first path.
  • step 401 may be as follows: the terminal device obtains the first token cached by the browser or the client application; and based on the above-mentioned first token, the above-mentioned first file operation request is generated.
  • the terminal device sends a first file operation request to the server.
  • the terminal device sends a first file operation request carrying the first token to the server, so that the server can use the first token to quickly and accurately verify whether the terminal device (corresponding to the user) is capable of Permission to perform the first operation on a file with a path.
  • FIG. 5 is a flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application.
  • the method flow in FIG. 5 is a refinement and improvement of the method flow in FIG. 4 .
  • the steps of the method provided by this embodiment of the present application may be executed by hardware devices such as terminal devices, or executed by a processor running computer-executable codes, and the method includes:
  • the terminal device uses the target account to log in to the file management system run by the server.
  • the terminal device In response to the user's access operation to the file of the first path in the file management system, the terminal device sends a token acquisition request to the server.
  • the terminal device may display a page of the file management system, and the page may include one or more folders, each folder including at least A file; the user's operation of opening (eg, clicking) the file of the first path is the user's access operation to the file of the first path in the file management system.
  • Step 502 may be: in response to the user's access operation to the file of the first path in the file management system, the terminal device sends a token acquisition request to the server without caching the token corresponding to the file of the first path.
  • a token corresponding to a file of a path may be a token that includes the path.
  • the terminal device receives the first token from the server, and caches the first token.
  • the terminal device caching the first token may be: a browser on the terminal device or a client application caches the first token.
  • the terminal device generates a first file operation request based on the first token.
  • step 504 is as follows: in response to the user's access operation to the file of the first path in the file management system, the terminal device caches the first token corresponding to the file of the first path, based on the first token. A token that generates the first file operation request.
  • the terminal device may cache one or more tokens, and the paths corresponding to different tokens are different; before generating any file operation request, the terminal device may first obtain the token corresponding to the file operation request in the cache . For example, if the terminal device is to generate a file operation request for operating a file of the first path, the terminal device may obtain a token (eg, a first token) whose path is the first path.
  • a token eg, a first token
  • the terminal device sends a first file operation request to the server.
  • the terminal device can quickly obtain the first token, thereby quickly generating the first file operation request, so that the server can use the first token to quickly and accurately verify whether the terminal device (corresponding to the user) is Has the permission to perform the first operation on the file in the first path.
  • FIG. 6 is an interactive flowchart of an online file permission control method provided by an embodiment of the present application.
  • the method interaction flow in Fig. 6 includes the method flow executed by the server and the method flow executed by the terminal device.
  • the steps of the method provided by this embodiment of the present application may be executed by hardware devices such as terminal devices, or executed by a processor running computer-executable codes, and the interaction process of the method includes:
  • the terminal device detects an access operation by the user to the file of the first path in the file management system.
  • the file management system runs on the server.
  • the terminal device acquires the first token cached by the browser or the client application.
  • the first token includes a second path and a first operation set, and the first operation set includes at least one operation.
  • the above-mentioned second path includes the above-mentioned first path.
  • a possible implementation manner of step 602 is as follows: the terminal device obtains the token whose path is the first path from the multiple tokens cached by the browser or the client application, and obtains the first token.
  • the terminal device generates a first file operation request based on the first token.
  • the above-mentioned first file operation request is used to request to perform the first operation on the file of the first path.
  • the above-mentioned first file operation request carries the first token.
  • the terminal device sends a first file operation request to the server.
  • the server performs the first operation on the file.
  • the server performs the first operation on the file when the first file operation request satisfies the first condition; it does not need to verify the authority of the user (corresponding to the terminal device), and the authority of the user can be verified more quickly , so as to respond to the first file operation request faster.
  • FIG. 7 is an interactive flowchart of another method for controlling the authority of an online file provided by an embodiment of the present application.
  • the method interaction flow in FIG. 7 includes the step of obtaining and buffering the first token by the terminal device.
  • the interaction flow of the method includes:
  • the terminal device detects an access operation of the user to the file of the first path in the file management system.
  • the terminal device can use the target account to log in to the file management system run by the server.
  • the terminal device sends a token acquisition request to the server in the case that the token including the first path is not cached.
  • the above token acquisition request is used to acquire the token required to perform the above first operation on the file in the above first path.
  • the token acquisition request may carry information indicating the first path or the first path.
  • the case where the terminal device does not cache the token including the first path may be that the terminal device does not query the token including the first path from the plurality of tokens cached by the browser or the client application.
  • the server obtains, according to the token obtaining request, the role permission information of the target account logged in by the terminal device.
  • the above-mentioned target account is an account used by the above-mentioned terminal device to log in to the file management system running on the server.
  • the server generates a first token according to the role permission information.
  • the role permission information may be referred to as access permission information (corresponding to the first set of operations).
  • user A can configure role permission information for user B in the following ways: 1) User A logs in to the file management system run by the server; 2) User A creates a file in the file management system. 3) User A configures role permission information for user B in the file management system (corresponding to the operations that user B can perform on the file).
  • the server sends the first token to the terminal device.
  • the terminal device caches the first token, and generates a first file operation request based on the first token.
  • the terminal device when the terminal device requests the server to perform any operation on the file of the first path, the first token can be brought into the file operation request in the form of a request header or request parameter. That is, when the terminal device subsequently requests to perform any operation on the file of the first path, it can obtain the first token from the cache and generate a corresponding file operation request without obtaining the first token from the server again. Only after the first token becomes invalid, the terminal device needs to obtain the first token from the server again and cache it.
  • the terminal device sends a first file operation request to the server.
  • the server performs the first operation on the file of the first path.
  • the terminal device may first obtain and cache the required token, so as to verify the user's authority more quickly in the future.
  • FIG. 8 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in Figure 8, the server includes:
  • the transceiver unit 801 is configured to receive a first file operation request from a terminal device; the above-mentioned first file operation request is used to request to perform a first operation on a file of a first path, and the above-mentioned first file operation request carries a first token,
  • the first token includes a second path and a first operation set, the first operation set includes at least one operation, and the first path and the second path are both paths in the file management system running on the server;
  • the processing unit 802 is configured to perform the above-mentioned first operation on the above-mentioned file when the above-mentioned first file operation request satisfies a first condition; the above-mentioned first condition includes: the above-mentioned first token passes the validity check of the above-mentioned server, The first operation is included in the first operation set and the second path includes the first path.
  • the first token further includes a validity period of the first token; the first condition further includes: the time when the server receives the first file operation request is within the validity period.
  • the processing unit 802 is further configured to perform validity check and validity check on the above-mentioned first token; the above-mentioned validity check is to verify that the above-mentioned server receives the above-mentioned first file operation request Whether the above-mentioned time is within the above-mentioned validity period; if the above-mentioned first token passes the validity check and validity check, verify whether the above-mentioned first operation is included in the above-mentioned first operation set and whether the above-mentioned second path includes the above-mentioned first operation. a path.
  • the processing unit 802 is further configured to generate the above-mentioned first token; the above-mentioned transceiver unit is further configured to send the above-mentioned first token to the above-mentioned terminal device.
  • the processing unit 802 is configured to encrypt the above-mentioned initial token based on the HMACSHA256 algorithm to obtain the above-mentioned first token.
  • the processing unit 802 is configured to use JSON Web Token to generate the above-mentioned initial token.
  • the transceiver unit 801 is further configured to receive a token acquisition request from the above-mentioned terminal device, where the above-mentioned token acquisition request is used to acquire a token required to perform the above-mentioned first operation on the file of the above-mentioned first path
  • the processing unit 802 is further configured to obtain the role permission information of the target account logged in by the terminal device according to the token acquisition request; the target account is the account used by the terminal device to log in to the file management system; the processing unit 802 is configured to configure To generate the above-mentioned first token according to the above-mentioned role permission information.
  • the processing unit 802 is further configured to use the above-mentioned target account to log in to the above-mentioned file management system through the above-mentioned terminal device for login authentication; The access operation of the file of the first path.
  • the transceiver unit 801 is further configured to receive a second file operation request from the above-mentioned terminal device; the above-mentioned second file operation request is used to request to perform a second operation on the file of the third path, and the above-mentioned second file operation request
  • the file operation request carries a second token, and the second token includes a fourth path and a second operation set, and the second operation set includes at least one operation; the processing unit 802 is further configured to perform the operation in the second file operation request. If the second condition is not met, the second file operation request is rejected; the second condition includes: the second token passes the validity check of the server, the second operation is included in the second operation set, and the above The fourth path includes the third path described above.
  • FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in Figure 9, the terminal equipment includes:
  • the processing unit 901 is configured to generate a first file operation request; the above-mentioned first file operation request is used to request to perform a first operation on a file of a first path, and the above-mentioned first file operation request carries a first token, and the above-mentioned first command
  • the card includes a second path and a first operation set, the first operation set includes at least one operation, the first path and the second path are both paths in the file management system run by the server, and the first token is used for Verifying on the server whether the terminal device has the authority to perform the first operation on the file in the first path;
  • the transceiver unit 902 is configured to send the above-mentioned first file operation request to the above-mentioned server.
  • the above-mentioned first token further includes a validity period of the above-mentioned first token, and the above-mentioned validity period is used to verify the validity of the above-mentioned first token.
  • the processing unit 901 is further configured to obtain the above-mentioned first token cached by the browser or the client application; the processing unit 901 is configured to generate the above-mentioned first file operation request based on the above-mentioned first token .
  • the transceiver unit 902 is further configured to send a token acquisition request to the above-mentioned server, where the above-mentioned token acquisition request is used to acquire the token required to perform the above-mentioned first operation on the file of the above-mentioned first path;
  • the above-mentioned first token from the above-mentioned server is received, and the above-mentioned first token is cached.
  • the processing unit 901 is further configured to log in to the above-mentioned file management system using the target account; the transceiver unit 902 is further configured to respond to a user's access operation to the file of the above-mentioned first path in the above-mentioned file management system , and send the above token acquisition request to the above server.
  • the files in the first path are partial files in the same directory
  • the first operation includes at least one of creating, modifying, locking, deleting, moving, and hiding.
  • each unit of the server and the terminal device is only a division of logical functions, and may be fully or partially integrated into a physical entity in actual implementation, or may be physically separated.
  • each of the above units can be separately established processing elements, or can be integrated into the same chip for implementation.
  • they can also be stored in the storage element of the controller in the form of program codes, which are called and executed by a certain processing element of the processor.
  • each unit can be integrated together, or can be implemented independently.
  • the processing element here may be an integrated circuit chip with signal processing capability.
  • each step of the above-mentioned method or each of the above-mentioned units may be completed by an integrated logic circuit of hardware in the processor element or an instruction in the form of software.
  • the processing element can be a general-purpose processor, such as a central processing unit (Central Processing Unit, CPU), or can be one or more integrated circuits configured to implement the above method, such as one or more specific integrated circuits (Application Specific Integrated Circuits) Integrated Circuit, ASIC), or, one or more microprocessors (Digital Signal Processor, DSP), or, or, one or more Field Programmable Gate Array (Field Programmable Gate Array, FPGA), etc.
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the server 1000 may vary greatly due to different configurations or performance, and may include one or more central processing units 1022 (for example, one or more processing device) and memory 1032, one or more storage media 1030 (eg, one or more mass storage devices) that store applications 1042 or data 1044.
  • the memory 1032 and the storage medium 1030 may be short-term storage or persistent storage.
  • the program stored in the storage medium 1030 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the server.
  • the central processing unit 1022 may be configured to communicate with the storage medium 1030 to execute a series of instruction operations in the storage medium 1030 on the server 1000 .
  • Server 1000 may also include one or more power supplies 1026, one or more wired or wireless network interfaces 1050, one or more input and output interfaces 1058, and/or, one or more operating systems 1041, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • operating systems 1041 such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • the steps performed by the server in the above embodiment may be based on the server structure shown in FIG. 10 .
  • the central processing unit 1022 may implement the function of the processing unit 802 in FIG. 8
  • the input/output interface 1058 may implement the function of the transceiver unit 801 .
  • FIG. 11 is a schematic structural diagram of another terminal device 110 provided by an embodiment of the present application.
  • the terminal device shown in FIG. 11 includes a logic circuit 1101 and an interface 1102 .
  • the logic circuit 1101 may implement the functions of the processing unit 901 in FIG. 9 .
  • the interface 1102 can implement the functions of the transceiver unit 902 in FIG. 9 .
  • the logic circuit 1101 may be a chip, a processing circuit, an integrated circuit, or a System on Chip (SoC) chip, etc.
  • SoC System on Chip
  • the interface 1102 may be a communication interface, an input/output interface, and the like.
  • the logic circuit and the interface may also be coupled to each other.
  • the connection manner of the logic circuit and the interface is not limited in this embodiment of the present application.
  • FIG. 12 is a block diagram of a partial structure of a terminal device provided by an embodiment of the present application.
  • the terminal device 1200 may include a processor 1201 , a memory 1202 , an input device 1203 , an output device 1204 and a bus 1205 .
  • the processor 1201 , the memory 1202 , the input device 1203 , and the output device 1204 can implement communication connection with each other through the bus 1205 .
  • the bus 1205 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 12, but it does not mean that there is only one bus or one type of bus.
  • the processor 1201 can use a general-purpose central processing unit, a microprocessor, a graphics processing unit (Graphics Processing Unit, GPU), an application-specific integrated circuit, or one or more integrated circuits, for executing relevant programs to implement the implementation of the present application Examples of technical solutions provided.
  • the processor 1201 may implement the functions of the processing unit 901 in FIG. 9 .
  • the memory 1202 may be a read only memory (Read Only Memory, ROM), a static storage device, a dynamic storage device, or a random access memory (Random Access Memory, RAM). Memory 1202 may store operating systems, as well as other application programs.
  • the modules and functions required to be performed by the components included in the terminal device provided by the embodiments of the present application are implemented through software or firmware, or the program codes used to implement the above-mentioned methods provided by the method embodiments of the present application are stored in the memory 1202, and are stored in the memory 1202.
  • the processor 1201 reads the code in the memory 1202 to execute the operations required to be executed by the modules and components included in the terminal device, or execute the above-mentioned methods provided in the embodiments of the present application.
  • Input device 1203 for inputting data and user instructions.
  • the input device may receive a token from the server.
  • the input device may input the user's access operation for the file of the first path.
  • Output device 1204 for outputting data and images.
  • the output device outputs file operation requests.
  • the output device 1204 displays a page of the file management system.
  • the output device 1204 may implement the functions of the transceiving unit 902 in FIG. 9 .
  • the bus 1205 may include a pathway for transferring information between various components of the terminal device (eg, the processor 1201, the memory 1202, the input device 1203, the output device 1204).
  • terminal device 1200 shown in FIG. 12 only shows the processor 1201, the memory 1202, the input device 1203, the output device 1204 and the bus 1205, in the actual implementation process, those skilled in the art should understand that the terminal Device 1200 also includes other components necessary for proper operation. Meanwhile, according to actual needs, those skilled in the art should understand that the terminal device 1200 may further include hardware devices that implement other additional functions. In addition, those skilled in the art should understand that the terminal device 1200 may also only include the necessary devices for implementing the embodiments of the present application, and does not necessarily include all the devices shown in FIG. 12 .
  • Embodiments of the present application further provide a computer-readable storage medium, where computer codes are stored in the computer-readable storage medium, and when the computer codes are executed on the computer, the computer is made to execute the methods of the foregoing embodiments.
  • the embodiments of the present application also provide a computer program, the computer program includes computer-readable codes, when the computer-readable codes are executed on a computer, the methods in the above embodiments are executed.
  • Embodiments of the present application provide an authority control method, a server, a terminal, a storage medium, and a computer program.
  • the method includes: the server receives a first file operation request from a terminal device; the first file operation request is used to request A file of a path executes a first operation, the first file operation request carries a first token, the first token includes a second path and a first operation set, and the first operation set includes at least one operation , the first path and the second path are both paths in the file management system run by the server; when the first file operation request satisfies the first condition, the server executes the file operation on the file
  • the first operation; the first condition includes: the first token passes the validity check of the server, the first operation is included in the first operation set, and the second path includes all Describe the first path.
  • the permission control method provided by the embodiment of the present application, there is no need to query the permission information of the user (corresponding to the terminal device), the permission of the user can be verified faster, and the first file

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Des modes de réalisation de la présente demande concernent un procédé de commande de permission, un serveur, un terminal, un support de stockage et un programme d'ordinateur. Le procédé consiste : à recevoir, par le serveur, une première demande d'opération de fichier provenant d'un dispositif terminal, la première demande d'opération de fichier servant à demander d'effectuer une première opération sur un fichier d'un premier chemin, la première demande d'opération de fichier contenant un premier jeton, le premier jeton comprenant un second chemin et un premier ensemble d'opérations, le premier ensemble d'opérations comprenant au moins une opération, et le premier chemin et le second chemin étant tous deux des chemins dans un système de gestion de fichiers exploité par le serveur ; lorsque la première demande d'opération de fichier répond à des premières conditions, à effectuer, par le serveur, la première opération sur le fichier, les premières conditions comprenant la réussite de la vérification de validité du premier jeton par le serveur, la présence de la première opération dans le premier ensemble d'opérations, et l'inclusion du premier chemin dans le second chemin. Une permission d'un utilisateur peut être vérifiée plus rapidement.
PCT/CN2021/105569 2021-03-15 2021-07-09 Procédé de commande de permission, serveur, terminal, support de stockage et programme d'ordinateur WO2022193494A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020227014600A KR20220130088A (ko) 2021-03-15 2021-07-09 권한 제어 방법 및 서버, 단말, 저장 매체와 컴퓨터 프로그램

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110274535.8 2021-03-15
CN202110274535.8A CN113051611B (zh) 2021-03-15 2021-03-15 在线文件的权限控制方法和相关产品

Publications (1)

Publication Number Publication Date
WO2022193494A1 true WO2022193494A1 (fr) 2022-09-22

Family

ID=76512268

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/105569 WO2022193494A1 (fr) 2021-03-15 2021-07-09 Procédé de commande de permission, serveur, terminal, support de stockage et programme d'ordinateur

Country Status (3)

Country Link
KR (1) KR20220130088A (fr)
CN (1) CN113051611B (fr)
WO (1) WO2022193494A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113051611B (zh) * 2021-03-15 2022-04-29 上海商汤智能科技有限公司 在线文件的权限控制方法和相关产品

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601832A (zh) * 2019-09-27 2019-12-20 中煤航测遥感集团有限公司 一种数据访问方法及装置
CN111093197A (zh) * 2019-12-31 2020-05-01 北大方正集团有限公司 权限认证方法、权限认证***和计算机可读存储介质
CN111756753A (zh) * 2020-06-28 2020-10-09 中国平安财产保险股份有限公司 一种权限验证方法及***
US20200336310A1 (en) * 2017-05-19 2020-10-22 Intuit Inc. Coordinating access authorization across multiple systems at different mutual trust levels
CN113051611A (zh) * 2021-03-15 2021-06-29 上海商汤智能科技有限公司 在线文件的权限控制方法和相关产品

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103488791B (zh) * 2013-09-30 2018-03-27 华为技术有限公司 数据访问方法、***及数据仓库
JP2019508763A (ja) * 2016-01-29 2019-03-28 グーグル エルエルシー ローカルデバイス認証
CN107613005B (zh) * 2017-09-20 2021-04-13 携程旅游信息技术(上海)有限公司 反向代理方法及装置、电子设备、存储介质
CN109657481B (zh) * 2017-10-12 2020-12-22 北京京东尚科信息技术有限公司 数据管理方法及装置
CN110909373B (zh) * 2018-09-18 2023-06-20 阿里巴巴集团控股有限公司 一种访问控制方法、设备、***及存储介质
CN110363026B (zh) * 2019-07-19 2021-06-25 深圳前海微众银行股份有限公司 文件操作方法、装置、设备、***及计算机可读存储介质
CN110855672A (zh) * 2019-11-15 2020-02-28 无锡家校邦网络科技有限公司 一种基于jwt的可手动撤销的授权方法
CN112487450A (zh) * 2020-11-30 2021-03-12 银盛支付服务股份有限公司 一种文件服务器访问分级方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200336310A1 (en) * 2017-05-19 2020-10-22 Intuit Inc. Coordinating access authorization across multiple systems at different mutual trust levels
CN110601832A (zh) * 2019-09-27 2019-12-20 中煤航测遥感集团有限公司 一种数据访问方法及装置
CN111093197A (zh) * 2019-12-31 2020-05-01 北大方正集团有限公司 权限认证方法、权限认证***和计算机可读存储介质
CN111756753A (zh) * 2020-06-28 2020-10-09 中国平安财产保险股份有限公司 一种权限验证方法及***
CN113051611A (zh) * 2021-03-15 2021-06-29 上海商汤智能科技有限公司 在线文件的权限控制方法和相关产品

Also Published As

Publication number Publication date
CN113051611A (zh) 2021-06-29
CN113051611B (zh) 2022-04-29
KR20220130088A (ko) 2022-09-26

Similar Documents

Publication Publication Date Title
CN111488598B (zh) 访问控制方法、装置、计算机设备和存储介质
WO2022262078A1 (fr) Procédé de commande d'accès sur la base de la sécurité à vérification systématique, dispositif, et support de stockage
US20200204530A1 (en) Self-encrypting key management system
WO2021184755A1 (fr) Procédé et appareil d'accès à une application, ainsi que dispositif électronique et support de stockage
US20220078017A1 (en) Authorized Data Sharing Using Smart Contracts
US8220035B1 (en) System and method for trusted embedded user interface for authentication
US20200067694A1 (en) Techniques for key provisioning in a trusted execution environment
US20220067189A1 (en) Data Sharing Via Distributed Ledgers
US11757640B2 (en) Non-fungible token authentication
CN113347206A (zh) 一种网络访问方法和装置
US10516653B2 (en) Public key pinning for private networks
JP2019220238A (ja) レガシー統合のためのコンピュータ読み取り可能な記憶媒体ならびにそれを使用するための方法およびシステム
US11757877B1 (en) Decentralized application authentication
US11663318B2 (en) Decentralized password vault
EP3794485B1 (fr) Procédé et noeud de réseau permettant de gérer l'accès à une chaîne de blocs
US20230362018A1 (en) System and Method for Secure Internet Communications
JP2022534677A (ja) ブロックチェーンを使用するオンラインアプリケーションおよびウェブページの保護
US20190065725A1 (en) Distributed profile and key management
WO2022193494A1 (fr) Procédé de commande de permission, serveur, terminal, support de stockage et programme d'ordinateur
JP2023539168A (ja) 自己認証識別子及びそのためのアプリケーション
CN114090996A (zh) 多方***互信认证方法及装置
TWI778319B (zh) 跨平台授權存取資源方法及授權存取系統
US20230231724A1 (en) Blockchain based certificate pinning
US20230403138A1 (en) Agentless single sign-on techniques
CN107276965B (zh) 服务发现组件的权限控制方法及装置

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2022523588

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21931076

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21931076

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 23.02.2024)