[go: up one dir, main page]

CN119089434B - Authority data processing method, system and storage medium - Google Patents

Authority data processing method, system and storage medium Download PDF

Info

Publication number
CN119089434B
CN119089434B CN202411578862.2A CN202411578862A CN119089434B CN 119089434 B CN119089434 B CN 119089434B CN 202411578862 A CN202411578862 A CN 202411578862A CN 119089434 B CN119089434 B CN 119089434B
Authority
CN
China
Prior art keywords
authority
data
verification
interface
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411578862.2A
Other languages
Chinese (zh)
Other versions
CN119089434A (en
Inventor
王开存
王田丰
孔海明
张锐
沈晓平
莫兵臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Jincheng Bank Ltd By Share Ltd
Original Assignee
Tianjin Jincheng Bank Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Jincheng Bank Ltd By Share Ltd filed Critical Tianjin Jincheng Bank Ltd By Share Ltd
Priority to CN202411578862.2A priority Critical patent/CN119089434B/en
Publication of CN119089434A publication Critical patent/CN119089434A/en
Application granted granted Critical
Publication of CN119089434B publication Critical patent/CN119089434B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the field of computers and discloses a method, a system and a storage medium for processing authority data. The method is applied to a management end, and comprises the steps of issuing a software development kit to enable an application end to integrate the software development kit to be in communication connection with the management end, maintaining all interface information and user data in real time, generating an authority correlation path according to the interface information to enable the application end to execute interface authority verification on a user operation request according to the authority correlation path, and sending the user data to the application end to enable the application end to execute data authority verification on the user operation request. The application end of the application runs the authority control logic therein through integrating the software development kit, thereby being capable of rapidly realizing the authority verification function, avoiding code change at the application end and reducing the code logic invasion of the service layer.

Description

Authority data processing method, system and storage medium
Technical Field
The present application relates to the field of computers, and in particular, to a method, a system, and a storage medium for processing rights data.
Background
At present, in order to ensure the security of data access in a system, corresponding permission verification needs to be set, in general, the permission verification functions need to be written in the underlying code before the system is on line, and once the permission setting is written and set by the code, the permission setting cannot be changed easily, which means that if the permission setting needs to be changed, the code needs to be rewritten and the system needs to be reissued, so that the flexibility of the permission verification configuration of the system is greatly reduced.
Disclosure of Invention
In view of the above, the present application provides a method, a system and a storage medium for processing rights data in order to solve the problems of the prior art.
In a first aspect, the present application provides a rights data processing method, applied to a management end, including:
Releasing a software development kit, so that an application end integrates the software development kit to be in communication connection with the management end, and operating authority control logic in the software development kit to intercept a user operation request through a corresponding interface and then execute authority verification on the user operation request;
maintaining interface information and user data of each interface in real time, wherein the interfaces are internal interfaces of the application end or interfaces supported by the application end;
Generating a permission association path according to the interface information, so that the application end executes interface permission verification on the user operation request according to the permission association path;
and sending the user data to the application end so that the application end executes data permission verification on the user operation request according to the user data through a corresponding interface.
In a second aspect, the present application provides a rights data processing method, applied to an application end, where the application end includes a plurality of interfaces and a logic controller, and each interface is connected to the logic controller, where the method includes:
Integrating a software development kit issued by a management end to be in communication connection with the management end, wherein the software development kit comprises authority control logic;
The authority control logic is operated, a user operation request is intercepted at a corresponding interface, authority verification is executed on the user operation request, the authority verification comprises one or two of interface authority verification and data authority verification, and the user operation request is used for allowing access to the logic controller after the user operation request passes the authority verification.
In an optional embodiment, if the permission check is an interface permission check, the performing permission check on the user operation request includes:
and acquiring a right association path of the current interface and user information for initiating the user operation request, and performing right verification on the user information according to the right association path.
In an optional embodiment, the performing, according to the rights association path, rights verification on the user information includes:
Judging whether a first authority path containing the user information exists in the authority associated path or not and whether a second authority path containing the current interface information exists or not;
If the first authority path and the second authority path exist, judging whether the first authority path and the second authority path can be spliced into a complete authority association path or not;
if yes, determining that the interface authority check passes;
if not, determining that the interface authority check is not passed.
In an optional embodiment, the obtaining the rights association path of the current interface includes:
requesting first local association path data from the management end, and acquiring second local association path data stored in the management end, wherein the first local association path data is not overlapped with the second local association path data;
And obtaining a complete authority associated path of the current interface according to the first local associated path data and the second local associated path data.
In an optional embodiment, if the permission check is a data permission check, the performing the permission check on the user operation request includes:
acquiring permission annotation information and user data on a logic controller which is accessed correspondingly to the user operation request;
Acquiring verification data for executing data permission verification from the user operation request according to the permission annotation information, wherein the permission annotation information is used for indicating the data type and field information of which the data permission verification needs to be executed;
judging whether the user data is consistent with the check data or not;
if the data authority verification is consistent, determining that the data authority verification is passed;
if the data authority verification is inconsistent, determining that the data authority verification is not passed.
In an alternative embodiment, the method further comprises:
If the verification data cannot be obtained from the user operation request, forwarding the user operation request to the logic controller so that the logic controller can obtain target user data from the management end, and executing permission verification on the user operation request according to the target user data.
In a third aspect, the present application provides a rights data processing system comprising:
a management end for executing the authority data processing method of the first aspect;
and the application end is used for executing the authority data processing method of the second aspect.
In a fourth aspect, the present application provides a computer device comprising a memory storing a computer program and a processor for executing the computer program to implement the aforementioned rights data processing method.
In a fifth aspect, the present application provides a computer storage medium storing a computer program which, when executed on a processor, implements a rights data processing method according to the foregoing.
The embodiment of the application has the following beneficial effects:
The embodiment of the application provides a rights data processing method which is applied to a management end and comprises the steps of issuing a software development kit to enable an application end to integrate the software development kit to be in communication connection with the management end, running rights control logic in the software development kit to intercept a user operation request through a corresponding interface of the application end and then execute rights verification on the user operation request, maintaining interface information and user data of each interface in real time, generating a rights association path according to the interface information to enable the application end to execute the interface rights verification on the user operation request according to the rights association path, and sending the user data to the application end to enable the application end to execute the data rights verification on the user operation request through the corresponding interface according to the user data. The embodiment of the application embeds the authority control logic into the application end through a software development kit, realizes the communication connection and data butt joint between the application end and the management end through the software development kit, can realize the authority verification function inside rapidly by the application end by operating the authority control logic, avoids the reissue of the system caused by the change of codes at the application end, reduces the code logic invasion of a service layer, simultaneously can set and change the authority data in real time on the management end based on the authority control logic, can directly adopt the updated authority data to complete the authority verification without additional processing of the application end, improves the flexibility of the authority verification configuration and reduces the later maintenance cost.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are required for the embodiments will be briefly described, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope of the present application. Like numerals are used for like parts throughout the various figures.
FIG. 1 is a schematic diagram of a rights data processing system in accordance with an embodiment of the application;
fig. 2 is a schematic flow chart of a first method for processing rights data performed by a management end in an embodiment of the present application;
Fig. 3 is a schematic flow chart of a first method for processing authority data by an application end in an embodiment of the present application;
fig. 4 is a schematic flow chart of a second method for processing authority data by an application end in an embodiment of the present application;
Fig. 5 is a schematic flow chart of a third method for processing authority data by an application end in an embodiment of the application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments.
The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to fall within the scope of the present application.
The terms "comprises," "comprising," "including," or any other variation thereof, are intended to cover a specific feature, number, step, operation, element, component, or combination of the foregoing, which may be used in various embodiments of the present application, and are not intended to first exclude the presence of or increase the likelihood of one or more other features, numbers, steps, operations, elements, components, or combinations of the foregoing.
Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of the application belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having a meaning that is the same as the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein in connection with the various embodiments of the application.
An embodiment of the present application provides a rights data processing system, exemplarily shown in fig. 1, which includes a management end 100 and an application end 200, wherein the management end 100 encapsulates a Software Development Kit (SDK) and issues the SDK. The application end 200 can integrate the SDK, so as to realize communication connection and data docking between the management end 100 and the application end 200 through the SDK, wherein the SDK comprises authority control logic, corresponding configuration data and the like, and the application end 200 executes the authority checking operation by running the authority control logic and performs data docking with the management end 100.
That is, the application 200 runs the rights control logic by integrating the SDK to perform the corresponding rights verification operation, which means that the application 200 does not need to additionally develop a set of system framework codes for performing rights management and control, and does not need to additionally add corresponding codes in the service layer, so that the rights management and control on the user operation request initiated by the user can be implemented under the condition of less intrusion of the service logic. In addition, the management end 100 can also manage the authority data required by the application end 200 in real time, so that updated authority data is sent to the application end 200 in real time through data docking with the application end 200, and the application end 200 is not required to manage the authority data, so that memory occupation of the application end 200 is avoided.
By way of reference, the application 200 includes a plurality of interfaces and a logic controller, where each interface is connected to the logic controller, and a user may access the logic controller through each interface, thereby executing a corresponding user operation request.
It may be understood that a user logs in to the application end 200 and initiates a user operation request, where the user operation request carries an interface address of a target interface, and the target interface of the application end 200 correspondingly receives the user operation request, so that the user operation request may access the logic controller through a corresponding interface of the application end 200, where the application end 200 runs authority control logic, so that each interface of the application end 200 intercepts a user operation request initiated by a user and performs authority verification on the user operation request, and in this process, the application end 200 may obtain authority data from the management end 100, perform verification on the user operation request according to the authority data, and if the operation request passes the corresponding authority verification, allow the operation request to access the logic controller.
It should be noted that the rights management includes two different levels of rights verification, namely, an interface level of rights verification (i.e., an interface rights verification) and a data level of rights verification (i.e., a data rights verification), and the application 200 may perform one or both of the two rights verification according to the rights control logic.
Further, the management end 100 may correspondingly manage the user data for performing the data permission verification and the interface permission information corresponding to each interface for performing the interface permission verification in the application end 200, and further, the management end 100 issues the updated user data to the application end 200 in real time and updates the interface permission information of the application end 200 in real time, so that the application end 200 may take effect of the permission information configuration of the interface in real time based on the configuration of the management end 100, and receive the user data issued by the management end 100, thereby the application end 200 does not need to additionally manage related permission data, reducing the memory occupation amount and avoiding interference effects on other service functions and service data.
Correspondingly, in one example, as shown in fig. 2, the process of performing data processing by the management end 100 may include the following steps:
S110, releasing a software development kit.
And S120, maintaining interface information and user data of each interface in real time.
S130, generating a permission association path according to the interface information, so that the application end 200 executes interface permission verification on the user operation request according to the permission association path.
And S140, the user data is sent to the application end 200, so that the application end 200 executes data authority verification on the user operation request according to the user data through the corresponding interface.
The management end 100 creates a software development kit (i.e., SDK) containing rights control logic in advance, where the SDK contains necessary classes, interfaces, methods, etc. for integrating rights management functions in an application, and the SDK encapsulates the core logic of rights verification, including functions of identifying user requests, invoking rights verification methods, returning verification results, etc.
Then, the management end 100 issues the SDK, where the issuing manner includes, but is not limited to, a manner such as web service (such as HTTP, API, etc.) or broadcasting, and further the application end 200 may integrate the SDK issued by the management end 100 and execute the rights control logic of the SDK to perform rights control, and specifically, the rights control logic is configured to perform rights verification on the user operation request after intercepting the user operation request through a corresponding interface of the application end 200.
In one example, a management background is further developed and deployed inside the management terminal 100, and the management background can maintain and manage rights data and resources, such as interfaces and user data, required in the application terminal 200 in real time. The management end 100 realizes data interaction with the SDK operated by the application end 200 through the management background, so that the management background can dynamically configure interface information and user data of the application end 200 for executing authority verification and push or broadcast updated user data to the SDK of the application end 200 in real time, and then the application end 200 performs authority verification according to the interface information and the user data maintained by the management end 100 in real time.
It should be noted that in the process of executing the interface permission check and the data permission check, the interface permission check and the data permission check can be implemented through the permission association path. Further, the management background may manage and configure the rights association path for performing the interface rights verification and the data rights verification accordingly. The management background can generate corresponding authority association paths according to the interface information and the user data respectively when the interface information and the user data are maintained, wherein the authority association paths containing the interface information are characterized by association relationships related to all interfaces and used for carrying out interface authority verification, and the authority association paths containing the user data are indicated by association relationships related to all users and used for carrying out data authority verification.
For example, the authority associated path related to the interface authority verification process can be set to include four parameter items of 'user-role-menu-interface', wherein a sub path can be formed between two adjacent parameter items, such as 'user-role', 'role-menu', 'menu-interface', and three sub paths can be spliced into a complete interface authority path.
Further, the management end 100 maintains the detailed information of the interface for executing the authority verification in real time in the management background, such as the interface name, the application, the access path, etc., and if a new interface is needed for executing the authority verification, the configuration of the authority-related path is only needed for the new interface in the management background, so that the target interface of the application end 200 (i.e. the new interface maintained by the management end 100) has the function of executing the authority verification, thereby realizing the dynamic configuration of the interface authority verification function.
Specifically, if the application end 200 needs to add the authority control logic of the corresponding interface, the management background of the management end 100 can be used to input the interface information (such as the interface address) of the interface to be added, and then update the sub-paths in the corresponding authority associated path according to the interface information, so that the corresponding interface can be quickly provided with the interface authority verification function, without modifying additional codes and the like, and the flexibility of the authority control configuration is improved.
For example, the interface information of the authority control logic to be added can be input into a corresponding interface configuration page in the management background, and the authority association path of the interface is bound on the page to complete the configuration of the interface authority control logic of the interface, so that the binding rule (authority association path) of the interface authority is generated or updated to determine which interfaces can be accessed by which users or roles, and the like, and further, the interface configured with the related authority control logic can intercept the user operation request initiated by the user and execute the interface authority verification on the user operation request.
The process of maintaining the interface information of the newly added interface by the management end 100 may be to modify or add only a sub-path of "menu-interface" so as to change the information of the parameter item of "interface" in the sub-path to the interface information corresponding to the newly added interface (such as the name or number or interface address of the newly added interface, etc. used for uniquely indicating the newly added interface), and further, the updated sub-path of "menu-interface" may be spliced with the currently maintained sub-paths of "user-role" and "role-menu" to form a complete rights association path according to the requirement.
In one example, the rights association path associated with the data rights verification process may be set to include three parameter items, "user-role-data". And the interface authority path is similar to the interface authority path, wherein a sub path such as a user-role and a role-data can be formed between two adjacent parameter items in the data authority associated path, and the two sub paths can be spliced into a complete data authority path.
The management side 100 may also enter or update the rights data of the user (i.e., the rights association path for performing the data rights verification) in the management background, including but not limited to data objects that the user can access, operation types (e.g., read, write), whether there is a specific access restriction, etc. According to the data authority information, the management background can generate or update the relation between the user and the data resources which can be requested or accessed, and the like, and can determine which users or roles can access which data resources, so that the application end 200 can execute the data authority verification on the user operation request intercepted by the interface according to the user data.
As with the maintenance of the interface information of the newly added interface, if the management end 100 needs to maintain the updated user data for permission verification, the permission association path corresponding to the user data may be adjusted accordingly.
For example, if a new user's data access authority is required to be added, a sub-path of "user-role" is searched from the maintained authority-related paths related to data authority verification, so that the information of the parameter item of "user" in the sub-path is changed into the mark information of the new user, such as the user name, for uniquely indicating the new user, and then the updated sub-path of "user-role" can be spliced with the sub-path of "role-data" maintained at present to form a complete authority-related path by selecting a target sub-path according to requirements.
Obviously, in this embodiment, when the management end 100 maintains the interface information and the user data by means of the rights association path, if the interface information and the user data for rights verification need to be changed, only one sub-path in the maintained related rights association path can be updated, and all association relations do not need to be changed, so that the amount of data to be changed is reduced, the changing flow is simplified, the changing efficiency is improved, and the subsequent maintenance work is facilitated. And if the currently maintained authority-related path cannot meet the requirement, a new authority-related path can be adaptively generated according to the requirement to supplement, namely, the embodiment can flexibly adjust the authority-related path to meet different requirements of users.
In addition, the management background supports a real-time or near real-time data synchronization mechanism, so that it is ensured that the updated authority data (including the authority association path corresponding to the execution of the interface authority verification and the data authority verification, etc.) in the background can be quickly reflected in the SDK of the application end 200, that is, the updated user data is sent to the application end 200 in real time, so that the application end 200 executes the authority verification on the user operation request initiated by the user according to the updated user data and the internally stored user data. If the updated user data is modified rights data, the application 200 may perform the verification operation only according to the updated user data when performing the rights verification.
In one example, the application 200 performs the interface right check and the data right check on the user operation request according to the user data and the interface right binding information acquired from the management 100 when the user operation request is received. And if the user operation request initiated by the user is matched with the corresponding interface authority and/or data authority, allowing the user to access the logic controller to execute the user operation request, otherwise, returning error information or preventing operation.
Therefore, the embodiment can construct a dynamic, flexible and safe authority management system through the authority control logic, ensure that only authorized user operation requests can be executed, effectively prevent unauthorized access and misoperation, and improve the security of data access and requests of the application end 200.
The process by which the application side 200 performs the rights verification is described in detail below by way of example only.
As shown in fig. 3, the process of executing the rights data processing by the application end 200 may include the following steps:
S210, integrating the software development kit issued by the management terminal 100 to be in communication connection with the management terminal 100.
S220, operating authority control logic in the software development kit, intercepting the user operation request at the corresponding interface, and executing authority verification on the user operation request.
In an embodiment, in the process of integrating the software development kit (i.e., SDK), the application end 200 packages the item by using the SDK as the dependent item of the application, and the application runs, the authority control logic in the SDK will automatically take effect, so that the application end 200 can perform the authority verification on the user operation request initiated by each user through the authority control logic, so as to improve the security of accessing the logic controller by each user.
The application end 200 may execute one or two kinds of authority verification of interface authority verification and data authority verification on user operation requests initiated by each user based on actual requirements, optionally, if two kinds of authority verification are executed, the execution sequence of the two kinds of authority verification may also be set correspondingly according to requirements, for example, the two kinds of authority verification may be executed simultaneously or sequentially, and if the result of any one of the authority verification is that the user operation request is not passed, the user operation request is discarded, and the non-passing information is fed back to the user. For example, the authority verification of the interface layer is executed first for the intercepted user operation request, then the authority verification of the data layer is executed, and if the authority verification of the interface layer is not passed, the authority verification of the data layer is not executed, and the user operation request is discarded.
When executing the interface permission check, the application end 200 can determine whether the user has a complete permission path including four parameter items of the user, the role, the menu and the interface from the permission data corresponding to the user according to the user information, and if the user has an incomplete permission path (such as a sub-path including only a part of the user-role) or does not have a corresponding permission path, it indicates that the user does not have permission to access the logic controller through the current interface, i.e. the interface permission check is not passed, otherwise, it indicates that the interface permission check is passed.
In some examples, when performing the data permission verification, the application 200 may determine, according to user information, whether the user has a complete permission path including three parameter items including a user, a role, and data from the user data corresponding to the user, and if the user has an incomplete permission path (such as a sub-path including only a part of "user-role") or does not have a corresponding permission path, it indicates that the user does not have permission to access the logic controller through the current user operation request, that is, the data permission verification does not pass, otherwise, it indicates that the data permission verification passes.
The parameter items related to the interface authority path and the data authority path can be specifically adjusted according to actual requirements, which is not limited in this embodiment.
According to the method and the device for managing the data and the authority information of the interfaces through the authority association path, on one hand, the authority data of the interfaces or the data corresponding to each user can be rapidly located from the authority path through the user information, meanwhile, the association relation between each parameter item in the authority association path is conveniently managed, the management efficiency is improved, on the other hand, when the authority data of the interfaces or the data is updated later (such as the authority association relation corresponding to the role type is added or deleted), only the authority path of the part to be updated can be adjusted, the association relation between all the data is not required to be adjusted, and therefore the data quantity to be updated can be reduced, the workload of data update is reduced, and the data update efficiency is improved.
In an example, the process of executing the interface permission verification on the user operation request by the application end 200 is to acquire the permission association path of the current interface and the user information for initiating the user operation request, and perform the permission verification on the user information according to the permission association path.
As shown in fig. 4, the process of performing the interface permission check by the application end 200 may include the following steps:
s410, judging whether a first authority path containing user information exists in the authority associated paths or not and whether a second authority path containing current interface information exists or not.
S420, if the first authority path and the second authority path exist, judging whether the first authority path and the second authority path can be spliced into a complete authority associated path.
S430, if the first authority path and the second authority path can be spliced into a complete authority associated path, determining that the interface authority verification passes.
S440, if the first authority path and the second authority path can not be spliced into a complete authority associated path, determining that the interface authority check is not passed.
The corresponding interface determines whether a first permission path corresponding to the user information and a second permission path corresponding to the current interface information exist in permission data obtained from the management end 100 or permission data stored in the application end 200 according to the user information corresponding to the user operation request and the interface information corresponding to the current interface after intercepting the user operation request.
That is, from the rights association path, it is determined whether there is a sub path (i.e. corresponding to the first rights path) including two parameter items of "user-role" according to the user information, and it is determined whether there is a sub path (i.e. corresponding to the second rights path) including two parameter items of "menu-interface" according to the interface information, if both sub paths exist, it is further determined whether the two sub paths can be spliced into a complete rights association path maintained by the management end 100.
If the two sub-paths cannot be spliced into a permission association path, the fact that the user does not have corresponding interface permission is indicated, it is determined that the interface permission check corresponding to the user operation request is not passed, and otherwise, it is determined that the interface permission check is passed.
For example, when executing the interface permission verification for the user operation request intercepted at the current interface, the application 200 obtains, according to the user information corresponding to the user operation request, one sub-path (which may be denoted as sub-path a) including two parameter items of "user-role" in multiple permission association paths (including four parameter items of "user-role-menu-interface") related to the interface permission verification process, where the "user" parameter item in the sub-path indicates a user name in the user information, and the "role" parameter item indicates a user identity in the user information.
And acquiring a sub-path (which can be recorded as sub-path B) containing two parameter items of a menu-interface from the authority-related path according to the interface information corresponding to the current interface. The "interface" parameter item in the sub path indicates the name or number or address of the current interface, and the like, and is used for uniquely indicating the flag information of the interface.
Then, it is determined whether the sub-path a and the sub-path B can be spliced into a complete rights association path maintained in the management end 100.
The process can be understood as that a complete path (denoted as path X) containing four parameter items of "user-role-menu-interface" is formed according to the sub-path a and the sub-path B, wherein if the path X is a complete authority-associated path maintained by the management end 100, the path X can be formed according to the sub-path a and the sub-path B to further determine that the interface authority verification passes, otherwise, if the path X is not a complete authority-associated path maintained by the management end 100, a complete authority-associated path cannot be formed according to the sub-path a and the sub-path B to further determine that the interface authority verification does not pass.
In one example, to reduce the memory footprint, the application end 200 may store only a part of the rights association path, that is, the application end 200 may store in advance a part of the association relationship in the rights association path, and the other part may be acquired from the management end 100 when the verification is required.
It can be understood that each complete authority-related path in the interface authority data may store one or two or three sub-paths in the same authority-related path in the application end 200, and the rest of sub-paths in the authority-related path are stored in the management end 100, where, for one complete authority-related path, the number of sub-paths corresponding to the application end 200 and the management end 100 stored in the application end is set according to actual requirements, and the embodiment is not limited, for example, the application end 200 may store sub-paths including two parameter items of "menu-interface" corresponding to each other, and the rest of sub-paths corresponding to the management end 100. Further, if the application 200 needs to perform the interface permission verification, the application obtains the corresponding remaining sub-paths from the management 100 according to the user information or the interface information.
It may be appreciated that, before performing the interface permission verification, the application end 200 may first request the first local association path data to the management end 100 according to the user information or the interface information, and obtain the second local association path data stored therein, where the first local association path data and the second local association path data do not overlap or partially overlap, and further determine the permission association path of the current interface according to the first local association path data and the second local association path data. The first local association path data and the second local association path data may be data including authority association sub-paths corresponding to a plurality of interfaces or only include authority path data corresponding to a current interface, that is, the first local association path data is part of sub-path data corresponding to a target interface stored in the management end 100, and the second local association path data is part of sub-path data corresponding to a target interface stored in the application end 200.
The method includes the steps of judging whether the first local association path data and the second local association path data have the data of one complete authority association path corresponding to a current interface or not, if the data which can form the complete authority association path corresponding to the current interface is determined to be contained, indicating that the user has corresponding interface authority, checking the interface authority corresponding to the user operation request, and otherwise, determining that the interface authority check is not passed.
Optionally, after the interface permission verification is completed, the application end 200 may delete the sub-path requested from the management end 100, so as to reduce the data size required to be stored by the application end 200, and release the corresponding memory space.
In some examples, as shown in fig. 5, the process of the application end 200 performing the data right verification on the intercepted user operation request may include the following steps:
s510, obtaining permission annotation information and user data on the logic controller which is accessed correspondingly by the user operation request.
S520, according to the permission annotation information, verification data for executing data permission verification is obtained from the user operation request.
S530, judging whether the user data is consistent with the check data.
S540, if the user data is consistent with the verification data, determining that the data authority verification passes.
S550, if the user data is inconsistent with the verification data, determining that the data authority verification is not passed.
Binding permission annotation information is preset on the logic controller, and the permission annotation information is used for indicating the data type and field information of the data permission verification to be executed. That is, when the user logs in the application end 200 and initiates a user operation request (such as querying an order, modifying a normal business operation such as an order) to access the logic controller, the application end 200 performs data permission verification on the user operation request intercepted by the corresponding interface through permission annotation information bound on the logic controller.
Further, the application end 200 obtains, from the intercepted user operation request, check data corresponding to the data type and field information indicated in the permission annotation information through the permission annotation information, and compares the check data with user data stored internally or requested from the management end 100, wherein if the check data is consistent with the user data, it is determined that the data permission check passes, otherwise, it is determined that the data permission check does not pass.
The user data indicates the association relationship between each user and the corresponding accessible data resource.
In an example, the management end 100 may associate and store the user data through the rights association path in the same way as the interface rights verification process, and further may be implemented based on the corresponding rights association path in the process of executing the data rights verification by the application end 200.
When a user logs in the application end 200 to request access to the logic controller, the application end 200 intercepts the user operation request through a corresponding interface to acquire information of the user, and can acquire a role corresponding to the logged-in user and data corresponding to the role (namely, find a permission association path corresponding to the user through the user information) according to the user information, so that whether the user has permission to access or request a corresponding data object in the logic controller can be determined.
The application 200 obtains, according to the user information, a sub-path (which may be denoted as sub-path C) including two parameter items of "user-role" in a rights-related path (e.g., including three parameter items of "user-role-data") related to the data rights verification process, where the "user" parameter item in the sub-path indicates a user name in the user information, and the "role" parameter item indicates a user identity in the user information.
And searching one sub-path (marked as sub-path D) containing the two parameter items of the role-data from the right-associated path according to the sub-path C, wherein the content corresponding to the parameter item of the role in the two sub-paths (the sub-path C and the sub-path D) is the same.
And then, acquiring data information corresponding to the data parameter item from the sub-path D, comparing the data information with verification data, if the data information and the verification data are consistent, determining that the data authority verification passes, and otherwise, determining that the data authority verification does not pass.
It can be understood that if the data bound by the role corresponding to the login user does not include the data required to be requested or accessed in the user operation request in the data permission verification process, that is, the data information corresponding to the data parameter item in the corresponding permission association path or the target permission association path is not found to be inconsistent with the data required to be requested or accessed by the user, the user is not provided with the permission to access or request the data, otherwise, the user is provided with the corresponding permission.
As an optional implementation manner, the application end 200 may pre-store a part of the association relationship in the permission association path, and the other part may be acquired from the management end 100 when the verification is needed, where the specific storage manner and storage logic are consistent with those of the corresponding part in the above interface permission verification process, so that details are not described herein.
In some examples, the application 200 may request the management end 100 for user data corresponding to a login user synchronously when performing data permission verification on a user operation request initiated by the login user, where the application 200 may store the user data locally during the login of the user, so as to perform data verification on multiple user operation requests initiated by the user subsequently during the login, so that multiple user data acquisition from the management end 100 is not required.
It can be understood that the application 200 can reduce the local memory occupation of the permission data by acquiring the user data after the user logs in and initiates the user operation request, and the user data can be stored or deleted based on the local memory requirement of the application 200 during the same login of the user. That is, the application 200 may set the storage mode of the user data based on its own memory occupation requirement, such as obtaining the user data immediately or storing the user data in advance to the local for multiple calls, which is not limited in this embodiment.
In some examples, if the verification data is not obtained from the user operation request, the user operation request is forwarded to the logic controller, so that the logic controller obtains corresponding user data from the management end 100, and performs authority verification on the user operation request according to the corresponding user data.
It may be understood that, if the user operation request does not include data for performing data permission verification, the corresponding interface directly forwards the user operation request to the logic controller, so that the logic controller performs corresponding permission verification operation according to internal requirements, where the logic controller may obtain user data of the user from the management end 100 to verify the user operation request according to the user data.
In one embodiment, the application end 200 and the management end 100 may also store part of the rights association paths respectively, that is, the application end 200 may store part of the association relationships in the rights association paths in advance, and the other part may be acquired from the management end 100 when the data verification is needed, where the corresponding processing procedure is consistent with the corresponding part in the interface rights verification procedure, which is not described herein.
It can be appreciated that, in this embodiment, before executing the user operation request, the interface permission verification and/or the data permission verification is executed on the interface side, so that the verification of the user operation request can be completed before actually processing the user operation request, and whether the user has the corresponding permission is determined, thereby ensuring the security of system access. The embodiment can realize corresponding authority verification based on the authority control logic in the software development kit without modifying the bottom code of the application end 200 and further without reissuing the online, wherein if the data authority verification is required to be executed, only the corresponding authority annotation information is required to be added on the logic controller side, and if the interface authority verification is required to be executed, the authority information of the interface can be directly and correspondingly configured and bound on the management end 100, further, the authority setting can be adjusted without modifying the code no matter the data authority verification or the interface authority verification is configured, and the authority control can be more efficient and flexible according to the dynamically adjusted authority setting of different requirements, meanwhile, the burden of a developer is reduced, and meanwhile, the whole authority verification process is more automatic due to the authority control logic, the requirement of manual intervention is reduced, and the flexibility and the reliability of the authority verification are improved.
The embodiment of the application also provides a computer device, which can be, but not limited to, a desktop computer, a notebook computer, a smart phone, a tablet, etc., and the existence form of the computer device is not limited, and mainly depends on whether the computer device needs to support the interface display function of the browser webpage, etc., wherein the computer device can be used as the management end 100 or the application end 200 in the data processing system. The computer device comprises a processor and a memory, wherein the memory stores a computer program, and the processor causes the computer device to execute the rights data processing method of the application by running the computer program.
The processor may be an integrated circuit chip with signal processing capabilities. The processor may be a general purpose processor including at least one of a central processing unit (Central Processing Unit, CPU), a graphics processor (Graphics Processing Unit, GPU) and a network processor (Network Processor, NP), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application.
The Memory may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory is used for storing a computer program, and the processor can correspondingly execute the computer program after receiving the execution instruction.
Furthermore, the present application provides a computer storage medium for storing the computer program used in the above computer device, where the computer program implements the rights data processing method of the above embodiment when executed on a processor.
It will be appreciated that the options in the rights data processing method of the above embodiment are equally applicable to the present embodiment, and thus the description thereof will not be repeated here.
The computer storage medium may be a nonvolatile storage medium or a volatile storage medium. For example, the computer storage media may include, but is not limited to, U disk, removable hard disk, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, etc. various media that can store program code.
In the several embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other manners as well. The system embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, in each embodiment of the present application, each step performed by the management end 100 and the application end 200 may be implemented by one or more functional modules or units, that is, a plurality of functional modules or units may be disposed inside the management end 100 and the application end 200 respectively to perform each step in the foregoing embodiment, so as to implement a corresponding function, and each functional module or unit inside the management end 100 and the application end 200 may be integrated together to form a separate part, or each module may exist alone, or two or more modules may be integrated to form a separate part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a smart phone, a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application.

Claims (10)

1. The authority data processing method is characterized by being applied to a management end and comprising the following steps of:
Releasing a software development kit, so that an application end integrates the software development kit to be in communication connection with the management end, and operating authority control logic in the software development kit to intercept a user operation request through a corresponding interface and then execute authority verification on the user operation request;
maintaining interface information and user data of each interface in real time, and generating and configuring a corresponding authority association path and authority control logic according to the interface information and the user data respectively so that the application end executes interface authority verification on the user operation request according to the authority association path;
the user data is sent to the application end, so that the application end executes data permission verification on the user operation request according to the user data through a corresponding interface;
The interface is an internal interface of the application end or an interface supported by the application end, wherein the authority association path containing interface information represents an association relation related to each interface and used for carrying out interface authority verification;
and if the interface information or the user data for the authority verification is required to be changed, updating one sub-path in the maintained related authority associated path.
2. The authority data processing method is characterized by being applied to an application end, wherein the application end comprises a plurality of interfaces and a logic controller, and each interface is connected with the logic controller, and the method comprises the following steps:
integrating a software development kit issued by a management end to be in communication connection with the management end, wherein the software development kit comprises authority control logic configured by the management end;
The authority control logic is operated, user operation requests are intercepted at corresponding interfaces, and authority verification is executed on the user operation requests, wherein the authority verification comprises one or two of interface authority verification and data authority verification, wherein the authority correlation path which is generated and configured according to interface information and user data based on the management end executes interface authority verification and/or data authority verification on the user operation requests;
and executing authority verification on an updated authority-related path in the maintained related authority-related paths according to the management end when the interface information or the user data is changed;
The user operation request is used for allowing access to the logic controller after the permission verification is determined to be passed.
3. The rights data processing method of claim 2, wherein if the rights verification is an interface rights verification, the performing rights verification on the user operation request includes:
and acquiring a right association path of the current interface and user information for initiating the user operation request, and performing right verification on the user information according to the right association path.
4. A rights data processing method according to claim 3, wherein said performing rights verification on said user information according to said rights association path comprises:
Judging whether a first authority path containing the user information exists in the authority associated path or not and whether a second authority path containing the current interface information exists or not;
If the first authority path and the second authority path exist, judging whether the first authority path and the second authority path can be spliced into a complete authority association path or not;
if yes, determining that the interface authority check passes;
if not, determining that the interface authority check is not passed.
5. A method of processing rights data according to claim 3, wherein said obtaining a rights association path for a current interface comprises:
requesting first local association path data from the management end, and acquiring second local association path data stored in the management end, wherein the first local association path data is not overlapped with the second local association path data;
And obtaining a complete authority associated path of the current interface according to the first local associated path data and the second local associated path data.
6. The rights data processing method according to any one of claims 2 to 5, wherein if the rights verification is a data rights verification, the performing rights verification on the user operation request includes:
acquiring permission annotation information and user data on a logic controller which is accessed correspondingly to the user operation request;
Acquiring verification data for executing data permission verification from the user operation request according to the permission annotation information, wherein the permission annotation information is used for indicating the data type and field information of which the data permission verification needs to be executed;
judging whether the user data is consistent with the check data or not;
if the data authority verification is consistent, determining that the data authority verification is passed;
if the data authority verification is inconsistent, determining that the data authority verification is not passed.
7. The rights data processing method according to claim 6, characterized by further comprising:
If the verification data cannot be obtained from the user operation request, forwarding the user operation request to the logic controller so that the logic controller can obtain target user data from the management end, and executing permission verification on the user operation request according to the target user data.
8. A rights data processing system, comprising:
A management end for executing the rights data processing method of claim 1;
an application side for executing the rights data processing method according to any one of claims 2 to 7.
9. A computer device comprising a memory storing a computer program and a processor for executing the computer program to implement the rights data processing method of any of claims 1-7.
10. A computer storage medium, characterized in that it stores a computer program which, when executed on a processor, implements the rights data processing method according to any of claims 1-7.
CN202411578862.2A 2024-11-07 2024-11-07 Authority data processing method, system and storage medium Active CN119089434B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411578862.2A CN119089434B (en) 2024-11-07 2024-11-07 Authority data processing method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411578862.2A CN119089434B (en) 2024-11-07 2024-11-07 Authority data processing method, system and storage medium

Publications (2)

Publication Number Publication Date
CN119089434A CN119089434A (en) 2024-12-06
CN119089434B true CN119089434B (en) 2025-02-18

Family

ID=93695867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411578862.2A Active CN119089434B (en) 2024-11-07 2024-11-07 Authority data processing method, system and storage medium

Country Status (1)

Country Link
CN (1) CN119089434B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112579997A (en) * 2020-12-17 2021-03-30 数字广东网络建设有限公司 User permission configuration method and device, computer equipment and storage medium
CN117632289A (en) * 2023-11-28 2024-03-01 抖音视界有限公司 Data verification and configuration method and device, electronic equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8495099B2 (en) * 2003-10-24 2013-07-23 Enrico Maim Method of manipulating information objects and of accessing such objects in a computer environment
JP4713985B2 (en) * 2005-09-02 2011-06-29 株式会社野村総合研究所 Service availability determination system and program
CN116257824A (en) * 2023-02-10 2023-06-13 通用技术集团数字智能科技有限公司 Override verification method and device and electronic equipment
CN116415218A (en) * 2023-06-08 2023-07-11 天津金城银行股份有限公司 Data authority management method and device, electronic equipment and storage medium
CN117714172A (en) * 2023-12-18 2024-03-15 天翼数字生活科技有限公司 Method and device for checking authority of capability open platform, gateway terminal and medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112579997A (en) * 2020-12-17 2021-03-30 数字广东网络建设有限公司 User permission configuration method and device, computer equipment and storage medium
CN117632289A (en) * 2023-11-28 2024-03-01 抖音视界有限公司 Data verification and configuration method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN119089434A (en) 2024-12-06

Similar Documents

Publication Publication Date Title
US11467816B1 (en) Method and system of running an application
US8856805B2 (en) Virtual channel for embedded process communication
CN111695156A (en) Service platform access method, device, equipment and storage medium
US11095648B2 (en) Dashboard as remote computing services
US9560122B1 (en) Secure native application messaging with a browser application
US11599654B2 (en) Method and apparatus for authority control, computer device and storage medium
US10262155B1 (en) Disabling features using feature toggle
JP2018533128A (en) Smart card read / write method and apparatus
US12348578B2 (en) System and method for launching and connecting to a local server from a webpage
AU2016100635A4 (en) Software creation system
JP2014179081A (en) Font distribution service
US9223557B1 (en) Application provided browser plugin
CN119089434B (en) Authority data processing method, system and storage medium
CN113986360A (en) Server BIOS configuration method, system, device and storage medium
CN113760273A (en) Page control method and page control device
EP4428675A1 (en) Cloud technology-based graphic program online development method and system, and related device
US20150143333A1 (en) Native Application Variation
CN116886392A (en) Service processing method, device and network management system
CN115774742A (en) Data storage newly-increased method, device, equipment, medium and product of private cloud
CN113422791B (en) Cloud service configuration method and device, electronic equipment and computer readable storage medium
CN114331325A (en) Flow management platform
CN113472752A (en) Authority processing method and device, electronic equipment and storage medium
US20240256765A1 (en) Custom formulas in office cloud platform add-in
CN117667391A (en) Cluster management method, system, processor and electronic equipment
CN118449715A (en) Application access method, device, electronic device, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant