[go: up one dir, main page]

CN113591121B - A method, device, equipment and storage medium for configuring resource access rights - Google Patents

A method, device, equipment and storage medium for configuring resource access rights Download PDF

Info

Publication number
CN113591121B
CN113591121B CN202110912700.8A CN202110912700A CN113591121B CN 113591121 B CN113591121 B CN 113591121B CN 202110912700 A CN202110912700 A CN 202110912700A CN 113591121 B CN113591121 B CN 113591121B
Authority
CN
China
Prior art keywords
resource
government
access
identifier
party application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110912700.8A
Other languages
Chinese (zh)
Other versions
CN113591121A (en
Inventor
李祖金
莫兹栋
罗新良
邹鹤良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Digital Guangdong Network Construction Co Ltd
Original Assignee
Digital Guangdong Network Construction Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Guangdong Network Construction Co Ltd filed Critical Digital Guangdong Network Construction Co Ltd
Priority to CN202110912700.8A priority Critical patent/CN113591121B/en
Publication of CN113591121A publication Critical patent/CN113591121A/en
Application granted granted Critical
Publication of CN113591121B publication Critical patent/CN113591121B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明实施例公开了一种资源访问权限的配置方法、装置、设备和存储介质。该方法包括:响应于第三方应用面向政务认证平台的接入指令,确定所述第三方应用的应用标识,以及所述政务认证平台关联的各政务资源的资源标识和版本号;针对每一政务资源,对所述应用标识以及该政务资源的资源标识和版本号进行加密,得到该政务资源面向所述第三方应用的访问标识;向所述第三方应用下发每一政务资源的访问标识,以配置所述第三方应用面向所述政务认证平台的资源访问权限。实现第三方应用面向政务认证平台的资源访问权限配置,提高了资源访问权限配置的便捷高效性,使得每一政务资源在不同第三方应用上配置的访问标识各不相同,保证资源访问的安全性。

The embodiment of the present invention discloses a method, device, equipment and storage medium for configuring resource access rights. The method includes: in response to an access instruction from a third-party application to a government authentication platform, determining the application identifier of the third-party application, and the resource identifier and version number of each government resource associated with the government authentication platform; for each government resource, encrypting the application identifier and the resource identifier and version number of the government resource to obtain the access identifier of the government resource to the third-party application; issuing the access identifier of each government resource to the third-party application to configure the resource access rights of the third-party application to the government authentication platform. The resource access rights configuration of the third-party application to the government authentication platform is realized, which improves the convenience and efficiency of the resource access rights configuration, so that the access identifiers configured for each government resource on different third-party applications are different, thereby ensuring the security of resource access.

Description

Resource access right configuration method, device, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of authority configuration, in particular to a resource access authority configuration method, device, equipment and storage medium.
Background
In the development process of the government affair authentication platform, the government affair service system forms a corresponding organization tree according to the hierarchical relationship between government affair resources (such as government affair departments and personnel arranged under the government affair authentication platform) in each government affair authentication platform, and is used for storing unique identifiers of government affair resources under the corresponding hierarchy on each node. At this time, when an application accesses the government authentication platform, the government service system informs the highest organization tree node accessible to the application, so that the application is configured with access rights of all resources stored by the highest organization tree node and the subordinate nodes thereof, and the application can recursively acquire detailed information of each resource by accessing unique identifiers of each resource with the access rights. However, due to invariance of unique identifiers of resources, there may be situations in which some unique identifiers of resources are actively or passively revealed between third party service providers, resulting in illegitimate acquisition of sensitive information within the resources by applications that do not have access to the resources.
At present, when each application is accessed to a corresponding government affair authentication platform, the identification of each resource accessible to the application is stored in a database, so that the access authority configuration of the application to each accessible resource is realized, the configuration data when the application is accessed to the corresponding government affair authentication platform is excessive, and the configuration efficiency of the resource access authority when the application is accessed to the corresponding government affair authentication platform is reduced.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for configuring resource access rights, which improve the convenience and the high efficiency of resource access rights configuration, ensure the security of resource access by different access identifiers configured on different third party applications of each government resource.
In a first aspect, an embodiment of the present invention provides a method for configuring resource access rights, where the method includes:
Responding to an access instruction of a third party application for a government affair authentication platform, determining an application identifier of the third party application, and a resource identifier and a version number of each government affair resource associated with the government affair authentication platform;
encrypting the application identifier, the resource identifier of the government resource and the version number aiming at each government resource to obtain an access identifier of the government resource for the third party application;
and issuing an access identifier of each government resource to the third party application so as to configure the resource access authority of the third party application facing the government authentication platform.
In a second aspect, an embodiment of the present invention provides a device for configuring access rights of resources, where the device includes:
the application access response module is used for responding to an access instruction of a third party application for a government affair authentication platform, and determining an application identifier of the third party application, and a resource identifier and a version number of each government affair resource associated with the government affair authentication platform;
The access identification determining module is used for encrypting the application identification, the resource identification of the government resource and the version number aiming at each government resource to obtain the access identification of the government resource for the third party application;
And the access right configuration module is used for issuing an access identifier of each government resource to the third party application so as to configure the resource access right of the third party application facing the government authentication platform.
In a third aspect, an embodiment of the present invention provides a computer apparatus, including:
One or more processors;
A storage means for storing one or more programs;
When the one or more programs are executed by the one or more processors, the one or more processors implement the method for configuring resource access rights according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium, where a computer program is stored, where the program when executed by a processor implements a method for configuring resource access rights according to any embodiment of the present invention.
The embodiment of the invention provides a method, a device, equipment and a storage medium for configuring resource access rights, which are characterized in that after an access instruction of a third party application for a government affair authentication platform is received, firstly, an application identifier of the third party application, and a resource identifier and a version number of each government affair resource associated with the government affair authentication platform are determined, then, for each government affair resource, the application identifier and the resource identifier and the version number of the government affair resource are encrypted to obtain the access identifier of the government affair resource for the third party application, so that the access identifiers configured by each government affair resource on different third party applications are different, and the access identifier configured by a certain third party application for the government affair resource cannot realize the access of another third party application to the government affair resource, thereby ensuring the security of resource access; furthermore, the access identification of each government resource is issued to the third party application, so that the resource access authority configuration of the third party application facing the government authentication platform is realized, and the convenience and the high efficiency of the resource access authority configuration are improved.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 is a flowchart of a method for configuring resource access rights according to a first embodiment of the present invention;
fig. 2 is a flowchart of a method for configuring resource access rights according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for configuring resource access rights according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a configuration device for resource access rights according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a method for configuring resource access rights according to a first embodiment of the present invention. The embodiment can be applied to the situation that when any government affair authentication platform accesses a corresponding third party application, the resource access authority in the government affair authentication platform is configured for the third party application. The method for configuring the resource access rights provided by the embodiment of the invention can be implemented by a device for configuring the resource access rights provided by the embodiment of the invention, and the device can be implemented in a software and/or hardware mode and is integrated in computer equipment for executing the method.
Specifically, referring to fig. 1, the method specifically includes the following steps:
S110, responding to an access instruction of the third party application for the government affair authentication platform, and determining an application identifier of the third party application, and a resource identifier and a version number of each government affair resource associated with the government affair authentication platform.
Specifically, the government affair authentication platform is a pre-developed government affair system for realizing various corresponding government affair functions in any government affair field, supports access to different third party applications, and authenticates the identity of the third party applications, so that different users can check the government affair information under the corresponding government affair functions of the government affair authentication platform through the third party applications accessed by the government affair authentication platform. For example, the government certification platform may be a pre-developed education department platform, and the third party application may be a campus network application developed for each school to which the education department platform supports access, or the like.
Corresponding government departments and personnel are arranged in each government authentication platform according to the hierarchical division, and in consideration of the fact that a third party application usually adopts identification information such as account numbers of a government department or personnel to check the government function information which supports the government department or personnel to access in the government authentication platform, namely, when the third party application accesses the government authentication platform, the operation authority of the corresponding government department and personnel arranged in the government authentication platform needs to be opened for the third party application, so that the third party application has the authority to enter the government authentication platform to check all the function information. Therefore, when the third party application accesses the government affair authentication platform, each government affair resource needing to be configured with access authority in the third party application can be a corresponding government affair department, personnel and the like arranged in the government affair authentication platform, and the third party application adopts the identification information of the corresponding government affair department, personnel and the like to enter the government affair authentication platform to check each supported function information.
Meanwhile, in consideration of the fact that corresponding government departments, personnel and the like arranged in the government certification platform can change, the access authority to the government resources can also change, so that in order to ensure the accuracy of the access authority of the government resources, the version numbers of the government resources are recorded in real time to represent the latest version of the government resources.
In order to ensure the comprehensiveness of each government resource in the government certification platform, the government service system forms a corresponding organization architecture tree according to the hierarchical relationship among the government resources (such as government departments and personnel arranged under the government certification platform) in each government certification platform, and the identification information of the government resources under the corresponding hierarchy is stored on each node of the organization architecture tree. At this time, when the government resources in the government certification platform change, for example, departments and personnel in the government certification platform change, the organization architecture tree formed on the government service system is correspondingly updated, so as to ensure the accuracy of each government resource in the government certification platform.
In this embodiment, when a third party application requests to access a certain government affair authentication platform, the government affair authentication platform receives an access instruction sent by the third party application, and in order to configure access rights for each government affair resource in each accessed government affair authentication platform for the third party application, in this embodiment, the government affair authentication platform forwards the received access instruction to a government affair service system, and the government affair service system configures resource access rights for the government affair authentication platform for the third party application according to an organization architecture tree preformed for the government affair authentication platform by the government affair service system.
Specifically, in response to an access instruction of a third party application for the government affair authentication platform, firstly, a resource identifier and a version number of each government affair resource associated in the government affair authentication platform are searched from a preformed organization architecture tree, so that the access authority of the third party application to each government affair resource in the government affair authentication platform is configured by adopting the resource identifier and the version number together. In addition, in order to avoid the leakage of access rights to a certain government resource between different third party applications, and enable the third party application without access rights to illegally access the government resource by utilizing the leaked access rights, the embodiment further determines an application identifier of the third party application, and subsequently, the application identifier is also adopted to jointly configure the access rights of the third party application to each government resource in the government authentication platform, so as to ensure that the access rights of different third party applications to the same government resource are different.
It should be noted that, in this embodiment, the application identifier of the third party application may be an 8-byte binary code, which is denoted as app_id; the resource identifier of any government resource can be a 24-byte binary code, which is marked as UID, the version number of the government resource can be a 4-byte binary code, which represents the self-increasing serial number of the government resource when the government resource changes in the government certification platform each time, and the government resource is marked as U_V.
S120, encrypting the application identifier, the resource identifier and the version number of each government resource to obtain the access identifier of the government resource for the third party application.
Optionally, the third party application, after accessing to the government affair authentication platform, requires the third party application to be able to access information of each government affair resource associated with the government affair authentication platform, so that the embodiment configures access authority of the third party application to each government affair resource associated with the government affair authentication platform.
Specifically, for each government resource, the embodiment uses the application identifier of the third party application, and the resource identifier and version number of the government resource to jointly configure the access authority of the third party application to the government resource. The application identifier of the third party application, the resource identifier of the government resource and the version number can be encrypted together through the generated secret key of the third party application, so that the access identifier of the government resource for the third party application is obtained, and the subsequent third party application can access the government resource through the access identifier. The above operation is performed for each government resource, and then the access identifier of each government resource for the third party application can be obtained, at this time, because the access identifier carries the application identifier of the third party application, the access identifiers of different third party applications for the same government resource are different, and the access identifier configured for a certain government resource on a certain third party application cannot realize the access of another third party application for the government resource, thereby ensuring the security of resource access and avoiding illegal access of the third party application for a certain government resource.
For each government resource, the application identifier of the third party application, the resource identifier and the version number of the government resource are combined, and the identification information after the government resource is combined is encrypted to obtain the access identifier of the government resource for the third party application. That is, for each government resource, the application identifier of the third party application and the resource identifier and version number of the government resource may be combined, for example, the application identifier app_id is in the low 8 byte position, the resource identifier UID of the government resource is in the middle 24 byte position, and the version number u_v of the government resource is in the high 4 byte position, so as to splice to a new UID with 36 byte length, then the new UID is encrypted by adopting the key generated by the third party application, and after Base64 encoding, the access identifier of the government resource for the third party application is generated, and the access identifier is 48 bytes binary code and is recorded as app_uid, which represents the identifier code of the third party application for the government resource.
S130, issuing access identification of each government resource to the third party application to configure resource access authority of the third party application facing the government authentication platform.
Optionally, after determining the access identifier of the third party application to each government resource in the government authentication platform, the access identifier of each government resource is directly issued to the third party application, so that the third party application can store the access identifier of each government resource in the government authentication platform after accessing the government authentication platform, and the subsequent third party application can check the function information of the government resource in the government authentication platform by adopting the access identifier of any government resource, thereby realizing the resource access authority configuration of the third party application facing the government authentication platform.
For example, after the third party application receives the access identifier of each government resource, the access identifier of each government resource may be recorded in a preset authority configuration table by adopting a key value pair manner, so as to configure the resource access authority of the third party application facing the government authentication platform. At this time, when the function information of a certain government resource needs to be checked by logging in the accessed government authentication platform, the access identifier of the government resource can be directly obtained from the authority configuration table, and then the government authentication platform is logged in by adopting the access identifier of the government resource.
After receiving an access instruction of a third party application for a government service authentication platform, the technical scheme provided by the embodiment determines an application identifier of the third party application and a resource identifier and version number of each government service resource associated with the government service authentication platform, encrypts the application identifier and the resource identifier and the version number of each government service resource for each government service resource to obtain an access identifier of the government service resource for the third party application, so that the access identifiers configured by each government service resource on different third party applications are different, and the access identifier configured by a certain third party application for a certain government service resource cannot realize the access of another third party application to the government service resource, thereby ensuring the security of resource access; furthermore, the access identification of each government resource is issued to the third party application, so that the resource access authority configuration of the third party application facing the government authentication platform is realized, and the convenience and the high efficiency of the resource access authority configuration are improved.
Example two
Fig. 2 is a flowchart of a method for configuring resource access rights according to a second embodiment of the present invention. The embodiment of the invention is optimized based on the embodiment. Optionally, the embodiment mainly explains the specific configuration process and the configuration updating process of the resource access authority of the government authentication platform for the third party application in detail.
Specifically, referring to fig. 2, the method of this embodiment may specifically include:
And S210, determining an application identifier of the third party application, and resource identifiers and version numbers of government resources associated with the government authentication platform in response to an access instruction of the third party application for the government authentication platform.
S220, randomly generating an encryption key of the third party application so as to encrypt an application identifier and a resource identifier and a version number of each government resource.
Optionally, in order to facilitate subsequent encryption of the application identifier of the third party application and the resource identifier and version number of each government resource, in this embodiment, an encryption key is first randomly generated for the third party application, where the encryption key may be a key with a length of 32 bytes and is denoted as app_k. And then, storing the encryption key pre-generated by the third party application into a corresponding storage system so as to encrypt an application identifier, a resource identifier and a version number of each government resource by adopting the encryption key for each government resource.
And S230, authenticating the government identity of the third party application, and encrypting the application identifier, the resource identifier of the government resource and the version number of the government resource aiming at each government resource after the authentication is passed.
In this embodiment, in order to ensure validity of each third party application accessed by the government affair authentication platform, before receiving an access instruction of the third party application for the government affair authentication platform, the embodiment first needs to authenticate the government affair identity of the third party application before configuring the resource access authority of the government affair authentication platform for the third party application, for example, when a campus network application of a certain school requests access to the education platform, first needs to authenticate whether the school is a true school authenticated by the education platform, and then after authentication of the third party application passes, the application identifier, the resource identifier and the version number of the government affair resource are encrypted for each government affair resource, so as to configure the resource access authority of the third party application for the government affair authentication platform.
S240, encrypting the application identifier, the resource identifier and the version number of each government resource to obtain the access identifier of the government resource for the third party application.
S250, issuing access identification of each government resource to the third party application to configure resource access authority of the third party application facing the government authentication platform.
And S260, responding to the resource updating operation of the government affair authentication platform or responding to the configuration updating request of the third party application, and issuing the access identification of each government affair resource updated by the government affair authentication platform to the third party application so as to perform configuration updating on the resource access authority of the third party application facing the government affair authentication platform.
Optionally, when resources such as departments and personnel in the government affair authentication platform change, the organization tree structure in the government affair service system also changes, so that the configured resource access rights in each application also need to be relatively adjusted, and therefore, the resource access rights of the third party application facing the government affair authentication platform are configured, and the resource access rights are updated. At this time, the embodiment may respond to the resource update operation of the government authentication platform, and when detecting that the government resources in the government authentication platform have variation, the steps of S210-S240 are re-executed, determine the access identifier of the third party application for each updated government resource in the government authentication platform, and then actively issue the access identifier of each updated government resource in the government authentication platform to the third party application, so as to update the configuration of the resource access authority of the third party application for the government authentication platform. Or the third party application may report the configuration update request for the resource access rights in the government authentication platform to the government service system periodically, the government service system may re-execute the steps of S210-S240 in response to the configuration update request of the third party application, determine the access identifier of the third party application for each updated government resource in the government authentication platform, and then issue the access identifier of each updated government resource in the government authentication platform to the third party application, so as to update the resource access rights of the third party application for the government authentication platform periodically, thereby simplifying complexity of configuration maintenance of the resource access rights in the third party application, and improving efficient and convenient maintenance of the configuration of the resource access rights in the third party application.
After receiving an access instruction of a third party application for a government service authentication platform, the technical scheme provided by the embodiment determines an application identifier of the third party application and a resource identifier and version number of each government service resource associated with the government service authentication platform, encrypts the application identifier and the resource identifier and the version number of each government service resource for each government service resource to obtain an access identifier of the government service resource for the third party application, so that the access identifiers configured by each government service resource on different third party applications are different, and the access identifier configured by a certain third party application for a certain government service resource cannot realize the access of another third party application to the government service resource, thereby ensuring the security of resource access; furthermore, the access identification of each government resource is issued to the third party application, so that the resource access authority configuration of the third party application facing the government authentication platform is realized, and the convenience and the high efficiency of the resource access authority configuration are improved.
Example III
Fig. 3 is a flowchart of a method for configuring resource access rights according to a third embodiment of the present invention. The embodiment of the invention is optimized based on the embodiment. Optionally, in this embodiment, a detailed explanation is mainly made on a specific access process of a third party application for accessing a certain government resource in a government authentication platform after a resource access authority of the third party application for the government authentication platform is configured.
Specifically, referring to fig. 3, the method of this embodiment may specifically include:
And S310, determining an application identifier of the third party application, and resource identifiers and version numbers of government resources associated with the government authentication platform in response to an access instruction of the third party application for the government authentication platform.
S320, encrypting the application identifier, the resource identifier and the version number of each government resource to obtain the access identifier of the government resource for the third party application.
S330, issuing access identification of each government resource to the third party application to configure resource access rights of the third party application to the government authentication platform.
S340, in response to the access request of the third party application to the target resource, decrypting the access identifier of the target resource to obtain the resource identifier of the target resource.
Optionally, after the resource access authority facing the government affair authentication platform is configured in the third party application, the third party application can access any government affair resource in the government affair authentication platform, at this time, the third party application can report an access request for the target resource to the government affair authentication platform, the government affair authentication platform forwards the access request to the government affair service system, and the government affair service system checks the detailed information of the target resource.
Specifically, in response to an access request of a third party application to a target resource, the government service system firstly analyzes the access identifier of the target resource from the access request, and then decrypts the access identifier of the target resource, thereby obtaining the resource identifier of the target resource, so that the resource identifier of the target resource is utilized later, the resource access information of the target resource is searched out, and the resource access information is issued to the third party application.
In addition, when decrypting the access identifier of the target resource, the decryption result of the access identifier of the target resource may further include a corresponding target application identifier and a target version number. At this time, in order to ensure the access security of the target resource, the embodiment compares the target application identifier with the application identifier of the third party application, if the two are consistent, the embodiment continues to compare the target version number with the version number of the target resource, so as to utilize the resource identifier of the target resource to issue the resource access information of the target resource to the third party application when the two are consistent; and if the target application identification is inconsistent with the application identification of the third party application or the target version number is inconsistent with the version number of the target resource, issuing an illegal access message of the target resource to the third party application.
That is, the application identifier of the third party application is verified by using the target application identifier in the access identifier of the target resource, and whether the access identifier of the target resource is configured by the third party application when accessing the government service authentication platform or configured by other third party applications and forwarded to the third party application is determined. When the third party application and the third party application are consistent, the third party application is a legal application accessing the government affair authentication platform, then the target version number in the resource identification of the target resource is continuously adopted to verify the version number of the target resource, whether the target resource is changed after the third party application accesses the government affair authentication platform is judged, and only when the version number of the target resource is consistent with the version number of the target resource, the third party application is determined to have the authority of accessing the target resource, and then the resource identification of the target resource is utilized to check the resource access information of the target resource.
S350, utilizing the resource identification of the target resource, issuing resource access information of the target resource to the third party application.
Optionally, when the third party application is determined to be legal for access, the resource identifier of the target resource can be used to find the resource access information of the target resource in the government affair authentication platform and send the resource access information to the third party application, so as to realize the safe access of the government affair resource.
It should be noted that, in order to ensure reasonable distinction between resource access authority configuration and resource security access by the third party application, two types of different interfaces, such as an interface a for checking data authority and an interface B without data authority, are set in this embodiment, the configuration operation of the third party application for the resource access authority of the government service authentication platform is executed through the interface a, and the security access operation of the third party application for a certain target resource in the government service authentication platform is executed through the interface B.
According to the technical scheme provided by the embodiment, after the resource access authority configuration of the third-party application for the government affair authentication platform is realized, the third-party application can judge whether the third-party application is legally accessed through the application identifier, the resource identifier and the version number in the access identifier of the target resource, at the moment, the access identifiers configured on different third-party applications of each government affair resource are different, the access identifier configured on one third-party application for one government affair resource cannot realize the access of the other third-party application to the government affair resource, and the security of resource access is ensured.
Example IV
Fig. 4 is a schematic structural diagram of a device for configuring resource access rights according to a fourth embodiment of the present invention, where, as shown in fig. 4, the device may include:
an application access response module 410, configured to determine an application identifier of a third party application and a resource identifier and a version number of each government resource associated with the government authentication platform in response to an access instruction of the third party application to the government authentication platform;
The access identifier determining module 420 is configured to encrypt, for each government resource, the application identifier, and the resource identifier and version number of the government resource, to obtain an access identifier of the government resource for the third party application;
And the access right configuration module 430 is configured to issue an access identifier of each government resource to the third party application, so as to configure the resource access right of the third party application facing the government authentication platform.
After receiving an access instruction of a third party application for a government service authentication platform, the technical scheme provided by the embodiment determines an application identifier of the third party application and a resource identifier and version number of each government service resource associated with the government service authentication platform, encrypts the application identifier and the resource identifier and the version number of each government service resource for each government service resource to obtain an access identifier of the government service resource for the third party application, so that the access identifiers configured by each government service resource on different third party applications are different, and the access identifier configured by a certain third party application for a certain government service resource cannot realize the access of another third party application to the government service resource, thereby ensuring the security of resource access; furthermore, the access identification of each government resource is issued to the third party application, so that the resource access authority configuration of the third party application facing the government authentication platform is realized, and the convenience and the high efficiency of the resource access authority configuration are improved.
Further, the above access identifier determining module 420 may be specifically configured to:
and combining the application identifier of the third party application, the resource identifier and the version number of the government resource aiming at each government resource, and encrypting the identification information after the government resource combination to obtain the access identifier of the government resource for the third party application.
Further, the device for configuring the resource access right may further include:
And the key generation module is used for randomly generating an encryption key of the third party application so as to encrypt the application identifier, the resource identifier of the government resource and the version number of the government resource aiming at each government resource.
Further, the device for configuring the resource access right may further include:
And the configuration updating module is used for responding to the resource updating operation of the government affair authentication platform or responding to the configuration updating request of the third party application, and issuing the access identifier of each government affair resource updated by the government affair authentication platform to the third party application so as to perform configuration updating on the resource access authority of the third party application facing the government affair authentication platform.
Further, the device for configuring the resource access right may further include:
and the application authentication module is used for authenticating the government identity of the third party application so as to encrypt the application identifier, the resource identifier of the government resource and the version number of each government resource after the authentication is passed.
Further, the device for configuring the resource access right may further include:
The access identifier decryption module is used for decrypting the access identifier of the target resource to obtain the resource identifier of the target resource in response to the access request of the third party application to the target resource;
And the resource access module is used for transmitting the resource access information of the target resource to the third party application by utilizing the resource identification of the target resource.
Further, the decryption result of the access identifier of the target resource may further include a corresponding target application identifier and a target version number.
Correspondingly, the device for configuring the resource access authority may further include:
The access verification module is used for comparing the target application identifier with the application identifier of the third party application, if the target application identifier and the application identifier of the third party application are consistent, the target version number and the version number of the target resource are continuously compared, and when the target version number and the version number are consistent, the resource identifier of the target resource is utilized to issue resource access information of the target resource to the third party application;
And the legal access processing module is used for issuing illegal access information of the target resource to the third party application if the target application identifier is inconsistent with the application identifier of the third party application or the target version number is inconsistent with the version number of the target resource.
The configuration device of the resource access right provided by the embodiment is applicable to the configuration method of the resource access right provided by any embodiment, and has corresponding functions and beneficial effects.
Example five
Fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. As shown in fig. 5, the computer apparatus includes a processor 50, a storage device 51, and a communication device 52; the number of processors 50 in the computer device may be one or more, one processor 50 being taken as an example in fig. 5; the processor 50, the storage means 51 and the communication means 52 of the computer device may be connected by a bus or other means, in fig. 5 by way of example.
The storage device 51 is a computer readable storage medium, and may be used to store a software program, a computer executable program, and a module, such as a module corresponding to a method for configuring resource access rights in an embodiment of the present invention (for example, an application access response module 410, an access identifier determining module 420, and an access rights configuring module 430 in a device for configuring resource access rights). The processor 50 executes various functional applications of the computer device and data processing, that is, implements the above-described configuration method of resource access rights, by running software programs, instructions, and modules stored in the storage 51.
The storage device 51 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for functions; the storage data area may store data created according to the use of the terminal, etc. In addition, the storage 51 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, storage 51 may further include memory remotely located relative to multifunction controller 50, which may be connected to a computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The communication means 52 may be used to enable a network connection or a mobile data connection between the devices.
The computer equipment provided by the embodiment can be used for executing the configuration method of the resource access authority provided by any embodiment, and has corresponding functions and beneficial effects.
Example six
The sixth embodiment of the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method for configuring resource access rights in any of the above embodiments. The method specifically comprises the following steps:
Responding to an access instruction of a third party application for a government affair authentication platform, determining an application identifier of the third party application, and a resource identifier and a version number of each government affair resource associated with the government affair authentication platform;
encrypting the application identifier, the resource identifier of the government resource and the version number aiming at each government resource to obtain an access identifier of the government resource for the third party application;
and issuing an access identifier of each government resource to the third party application so as to configure the resource access authority of the third party application facing the government authentication platform.
Of course, the storage medium containing the computer executable instructions provided in the embodiments of the present invention is not limited to the method operations described above, and may also perform the related operations in the method for configuring the resource access rights provided in any embodiment of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk, or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the configuration device of resource access rights, each unit and module included are only divided according to the functional logic, but not limited to the above-mentioned division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and various modifications and variations may be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. The method for configuring the resource access rights is characterized by comprising the following steps:
Responding to an access instruction of a third party application for a government affair authentication platform, determining an application identifier of the third party application, forwarding the received access instruction to a government affair service system by the government affair authentication platform, and searching resource identifiers and version numbers of government affair resources associated with the government affair authentication platform from an organization architecture tree preformed for the government affair authentication platform by the government affair service system;
encrypting the application identifier, the resource identifier of the government resource and the version number aiming at each government resource to obtain an access identifier of the government resource for the third party application;
Issuing an access identifier of each government resource to the third party application so as to configure the resource access authority of the third party application facing the government authentication platform;
After issuing access identifiers of each government resource to the third party application, responding to an access request of the third party application to the government authentication platform, forwarding the access request to a government service system by the government authentication platform, analyzing the access identifiers of the target resource from the access request by the government service system, and decrypting the access identifiers of the target resource to obtain a target application identifier, a target version number and a resource identifier of the target resource;
comparing the target application identifier with the application identifier of the third party application, if the target application identifier and the application identifier of the third party application are consistent, continuously comparing the target version number with the version number of the target resource, and when the target version number and the version number are consistent, issuing resource access information of the target resource to the third party application by utilizing the resource identifier of the target resource;
and if the target application identifier is inconsistent with the application identifier of the third-party application or the target version number is inconsistent with the version number of the target resource, issuing an illegal access message of the target resource to the third-party application.
2. The method of claim 1, wherein encrypting the application identifier and the resource identifier and the version number of the government resource for each government resource to obtain the access identifier of the government resource for the third party application includes:
and combining the application identifier of the third party application, the resource identifier and the version number of the government resource aiming at each government resource, and encrypting the identification information after the government resource combination to obtain the access identifier of the government resource for the third party application.
3. The method of claim 1, wherein in determining the application identification of the third party application and the resource identification and version number of each government resource associated with the government certification platform, further comprising:
And randomly generating an encryption key of the third party application so as to encrypt the application identifier, the resource identifier of the government resource and the version number of the government resource aiming at each government resource.
4. The method of claim 1, further comprising, after issuing the access identifier for each government resource to the third party application:
and responding to the resource updating operation of the government affair authentication platform or responding to the configuration updating request of the third party application, and issuing the access identifier of each government affair resource updated by the government affair authentication platform to the third party application so as to perform configuration updating on the resource access authority of the third party application facing the government affair authentication platform.
5. The method of claim 1, further comprising, prior to encrypting the application identification and the resource identification and version number of each government resource:
and authenticating the government identity of the third party application, and encrypting the application identifier, the resource identifier of the government resource and the version number of the government resource for each government resource after the authentication is passed.
6. A device for configuring access rights to resources, comprising:
The application access response module is used for responding to an access instruction of a third party application for a government affair authentication platform, determining an application identifier of the third party application, forwarding the received access instruction to a government affair service system by the government affair authentication platform, and searching resource identifiers and version numbers of government affair resources associated with the government affair authentication platform from an organization architecture tree preformed for the government affair authentication platform by the government affair service system;
The access identification determining module is used for encrypting the application identification, the resource identification of the government resource and the version number aiming at each government resource to obtain the access identification of the government resource for the third party application;
The access right configuration module is used for issuing an access identifier of each government resource to the third party application so as to configure the resource access right of the third party application facing the government authentication platform;
The access identifier decryption module is used for responding to an access request of the third party application to the government affair authentication platform, which is reported to the government affair authentication platform, after the access identifier of each government affair resource is issued to the third party application, forwarding the access request to a government affair service system by the government affair authentication platform, analyzing the access identifier of the target resource from the access request by the government affair service system, and decrypting the access identifier of the target resource to obtain a target application identifier, a target version number and a resource identifier of the target resource;
The access verification module is used for comparing the target application identifier with the application identifier of the third party application, if the target application identifier and the application identifier of the third party application are consistent, the target version number and the version number of the target resource are continuously compared, and when the target version number and the version number are consistent, the resource identifier of the target resource is utilized to issue resource access information of the target resource to the third party application;
And the legal access processing module is used for issuing illegal access information of the target resource to the third party application if the target application identifier is inconsistent with the application identifier of the third party application or the target version number is inconsistent with the version number of the target resource.
7. A computer device, the computer device comprising:
One or more processors;
A storage means for storing one or more programs;
when executed by the one or more processors, causes the one or more processors to implement the method of configuring resource access rights recited in any one of claims 1-5.
8. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements a method for configuring resource access rights according to any of claims 1-5.
CN202110912700.8A 2021-08-10 2021-08-10 A method, device, equipment and storage medium for configuring resource access rights Active CN113591121B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110912700.8A CN113591121B (en) 2021-08-10 2021-08-10 A method, device, equipment and storage medium for configuring resource access rights

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110912700.8A CN113591121B (en) 2021-08-10 2021-08-10 A method, device, equipment and storage medium for configuring resource access rights

Publications (2)

Publication Number Publication Date
CN113591121A CN113591121A (en) 2021-11-02
CN113591121B true CN113591121B (en) 2024-11-15

Family

ID=78256636

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110912700.8A Active CN113591121B (en) 2021-08-10 2021-08-10 A method, device, equipment and storage medium for configuring resource access rights

Country Status (1)

Country Link
CN (1) CN113591121B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114201418B (en) * 2021-12-13 2024-05-03 珠海格力电器股份有限公司 Data access method, device, electronic equipment and storage medium
CN115514528B (en) * 2022-08-22 2024-12-20 北京达佳互联信息技术有限公司 Resource permission processing method, device, electronic device and storage medium
CN117118758B (en) * 2023-10-24 2024-02-02 中国标准化研究院 Data exchange processing method and system for big data integrated government affairs

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795692A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 Open authorization method, open authorization system and authentication and authorization server
CN106230838A (en) * 2016-08-04 2016-12-14 中国银联股份有限公司 A kind of third-party application accesses the method and apparatus of resource
CN110457932A (en) * 2019-08-19 2019-11-15 赛尔网络有限公司 Determine the method, apparatus, equipment and medium of resource access authority

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8218435B2 (en) * 2006-09-26 2012-07-10 Avaya Inc. Resource identifier based access control in an enterprise network
CN101764742B (en) * 2009-12-30 2015-09-23 福建星网锐捷网络有限公司 A kind of network resource visit control system and method
US8650657B1 (en) * 2010-05-18 2014-02-11 Google Inc. Storing encrypted objects
US8799647B2 (en) * 2011-08-31 2014-08-05 Sonic Ip, Inc. Systems and methods for application identification
CN104703162B (en) * 2014-12-27 2018-11-30 华为技术有限公司 A kind of method, apparatus and system by application access third party's resource
CN106295394B (en) * 2016-07-22 2018-11-23 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and working method
CN109922128A (en) * 2019-01-08 2019-06-21 中金数据(武汉)超算技术有限公司 A kind of data safety exchange method suitable for across cloud service deployment environment
CN110442617A (en) * 2019-06-27 2019-11-12 华迪计算机集团有限公司 A kind of method and system carrying out dynamic processing to statistical data based on administration cell

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795692A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 Open authorization method, open authorization system and authentication and authorization server
CN106230838A (en) * 2016-08-04 2016-12-14 中国银联股份有限公司 A kind of third-party application accesses the method and apparatus of resource
CN110457932A (en) * 2019-08-19 2019-11-15 赛尔网络有限公司 Determine the method, apparatus, equipment and medium of resource access authority

Also Published As

Publication number Publication date
CN113591121A (en) 2021-11-02

Similar Documents

Publication Publication Date Title
EP3905078B1 (en) Identity verification method and system therefor
CN112333198B (en) Secure cross-domain login method, system and server
CN113312664B (en) User data authorization method and user data authorization system
JP6547079B1 (en) Registration / authorization method, device and system
CN108259438B (en) Authentication method and device based on block chain technology
CN113591121B (en) A method, device, equipment and storage medium for configuring resource access rights
JP2022545627A (en) Decentralized data authentication
CN100512201C (en) Method for dealing inserted-requested message of business in groups
JP2018121328A (en) Event certificate for electronic devices
US10536271B1 (en) Silicon key attestation
CN111625829A (en) Application activation method and device based on trusted execution environment
CN111639327A (en) Authentication method and device for open platform
CN109831435B (en) Database operation method, system, proxy server and storage medium
KR102329221B1 (en) Blockchain-based user authentication model
CN114629713B (en) Identity verification method, device and system
US20250168017A1 (en) Method, apparatus, device and storage medium for device authentication and checking
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
Guirat et al. Formal verification of the W3C web authentication protocol
CN108848079B (en) Method, system, device and computer system for realizing information verification
JP2017531951A (en) Method, device, terminal and server for security check
CN110225017B (en) Identity authentication method, equipment and storage medium based on alliance block chain
CN104104650A (en) Data file visit method and terminal equipment
US9754087B2 (en) Method for verifying web system license based on multi-way tree search
Lim et al. AuthChain: a decentralized blockchain-based authentication system
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant