CN112468409A - Access control method, device, computer equipment and storage medium - Google Patents
Access control method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112468409A CN112468409A CN202011333722.0A CN202011333722A CN112468409A CN 112468409 A CN112468409 A CN 112468409A CN 202011333722 A CN202011333722 A CN 202011333722A CN 112468409 A CN112468409 A CN 112468409A
- Authority
- CN
- China
- Prior art keywords
- token
- access
- token bucket
- configuration information
- redis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012795 verification Methods 0.000 claims description 27
- 238000012544 monitoring process Methods 0.000 claims description 13
- 238000000605 extraction Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 33
- 238000004590 computer program Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 238000004064 recycling Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012163 sequencing technique Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/215—Flow control; Congestion control using token-bucket
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application belongs to the field of information security, and relates to an access control method, which comprises the steps of obtaining token bucket configuration information from a dynamic configuration management server, and configuring a token bucket according to the token bucket configuration information; receiving an access request sent by a user terminal; performing access check on the access request through Redis; extracting a token from the token bucket when the access request passes an access check; sending the extracted token to the user terminal to enable the user terminal to realize access, and recording a sending timestamp and a token use duration of the token in the Redis; and clearing the token of the token bucket according to the sending time stamp and the token use duration stored in the Redis. The application also provides an access control device, computer equipment and a storage medium. In addition, the application also relates to a block chain technology, and token bucket configuration information can be stored in the block chain. The application improves the flexibility of access control.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to an access control method and apparatus, a computer device, and a storage medium.
Background
For highly concurrent or distributed scenarios, a current limiting mechanism is often required for access control. The token bucket technology can realize access control of an interface, a certain number of tokens are arranged in the token bucket, when a user initiates a request, a user terminal needs to obtain the tokens from the token bucket, and if the user terminal obtains the tokens, access can be realized; if the token is not received, access is not allowed.
However, conventional token bucket techniques typically employ a fixed token configuration amount and time. That is, a timing task is set, only a fixed number of access requests can be received in a time period corresponding to the timing task, and the timing task is cleared. Therefore, dynamic adjustment of the token bucket and dynamic clearing of the tokens are limited, access control is difficult to adjust in time according to change of access flow, and flexibility is low.
Disclosure of Invention
An embodiment of the present application aims to provide an access control method, an access control device, a computer device, and a storage medium, so as to solve the problem of low flexibility of access control.
In order to solve the foregoing technical problem, an embodiment of the present application provides an access control method, which adopts the following technical solutions:
obtaining token bucket configuration information from a dynamic configuration management server to configure a token bucket according to the token bucket configuration information;
receiving an access request sent by a user terminal;
performing access check on the access request through Redis;
extracting a token from the token bucket when the access request passes an access check;
sending the extracted token to the user terminal to enable the user terminal to realize access, and recording a sending timestamp and a token use duration of the token in the Redis;
and clearing the token of the token bucket according to the sending time stamp and the token use duration stored in the Redis.
Further, the step of obtaining token bucket configuration information from the dynamic configuration management server to configure the token bucket according to the token bucket configuration information includes:
monitoring token bucket configuration information corresponding to a token bucket in the dynamic configuration management server;
and when the token bucket configuration information is monitored to change, acquiring current token bucket configuration information from the dynamic configuration server to dynamically configure the token bucket.
Further, after the step of obtaining the token bucket configuration information from the dynamic configuration management server to configure the token bucket according to the token bucket configuration information, the method further includes:
instructing the token bucket to generate tokens according to the token bucket configuration information;
and when the token bucket generates tokens, clearing the tokens of the token bucket according to the sending timestamp and the token service duration stored in the Redis.
Further, after the step of receiving the access request sent by the user terminal, the method further includes:
determining whether access verification is needed at the current moment according to the token bucket configuration information;
and when the access check is needed, executing the step of performing the access check on the access request through Redis.
Further, the step of performing access check on the access request by Redis includes:
extracting a terminal identification from the access request;
querying the terminal identification in the Redis;
and when the terminal identification is not inquired and an isolated token exists in the token bucket, determining that the access request passes the access check.
Further, after the step of querying the terminal identifier in the Redis, the method further includes:
when the terminal identification is inquired, the token use duration stored corresponding to the inquired terminal identification is obtained;
comparing the token use duration with a preset token available duration;
and when the token use duration is less than the token available duration, determining that the access request passes the access check.
Further, after the step of sending the extracted token to the user terminal to enable the user terminal to realize access, and recording a sending timestamp and a token use duration of the token in the Redis, the method further includes:
monitoring access of the user terminal;
and when the user terminal is monitored to finish the access, recovering the token to the token bucket.
In order to solve the foregoing technical problem, an embodiment of the present application further provides an access control apparatus, which adopts the following technical solutions:
the information acquisition module is used for acquiring token bucket configuration information from a dynamic configuration management server so as to configure a token bucket according to the token bucket configuration information;
the request receiving module is used for receiving an access request sent by a user terminal;
the request checking module is used for carrying out access checking on the access request through Redis;
the token extraction module is used for extracting tokens from the token bucket when the access request passes the access check;
the token sending module is used for sending the extracted token to the user terminal so as to enable the user terminal to realize access, and recording a sending timestamp and a token use duration of the token in the Redis;
and the token clearing module is used for clearing the tokens of the token bucket according to the sending timestamp and the token service duration stored in the Redis.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the access control method when executing the computer program.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the steps of the access control method described above.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: the token bucket configuration information is obtained from a dynamic configuration management server for managing the token bucket, so that the token bucket is configured, when the token bucket configuration information changes dynamically, the token bucket can be updated dynamically, and the token bucket is used for access control, so that the flexibility of access control is improved; receiving an access request sent by a user terminal, carrying out access verification, extracting a token from the token bucket after the verification is passed, and sending the token to the user terminal, so that the user terminal can realize interface access, thereby realizing access control; redis can record the sending time stamp and the using time of the token, and the token can be dynamically cleared according to the time stamp and the using time of the token, so that the flexibility of the token bucket is improved, and the flexibility of access control is further improved.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings needed for describing the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow diagram of one embodiment of an access control method according to the present application;
FIG. 3 is a schematic block diagram of one embodiment of an access control device according to the present application;
FIG. 4 is a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, a server 105, and a dynamic configuration management server 106. The network 104 is used to provide a medium for communication links between the terminal devices 101, 102, 103 and the server 105, and between the server 105 and the dynamic configuration management server 106. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, e-book readers, MP3 players (Moving Picture experts Group Audio Layer III, mpeg compression standard Audio Layer 3), MP4 players (Moving Picture experts Group Audio Layer IV, mpeg compression standard Audio Layer 4), laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103. The dynamic configuration management server 106 is used for dynamically configuring and managing the token bucket. Redis in the present application may be located in server 105, or may exist in a third server (not shown in FIG. 1) that is different from server 105 and different from dynamic configuration management server 106.
It should be noted that the access control method provided in the embodiments of the present application is generally executed by a server, and accordingly, the access control apparatus is generally disposed in the server.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to FIG. 2, a flow diagram of one embodiment of an access control method according to the present application is shown. The access control method comprises the following steps:
step S201, obtaining token bucket configuration information from the dynamic configuration management server to configure the token bucket according to the token bucket configuration information.
In this embodiment, the electronic device (e.g., the server shown in fig. 1) on which the access control method operates may communicate by a wired connection or a wireless connection. It should be noted that the wireless connection means may include, but is not limited to, a 3G/4G connection, a WiFi connection, a bluetooth connection, a WiMAX connection, a Zigbee connection, a uwb (ultra wideband) connection, and other wireless connection means now known or developed in the future.
The dynamic configuration management server may be a server that dynamically configures and manages the token bucket; the token bucket configuration information is used to configure the token bucket.
Specifically, the token bucket is configured and managed by a dynamic configuration management server, the dynamic configuration management server stores token bucket configuration information, and the server acquires the token bucket configuration information from the dynamic configuration management server.
In one embodiment, a technician accesses a configuration management page at a management terminal, selects token bucket configuration information in the configuration management page according to access control requirements, and generates a selection instruction. And the dynamic configuration management server extracts token bucket configuration information according to the selection instruction and sends the token bucket configuration information to the server.
The token bucket configuration information may include a token valid duration (the longest time that a token can exist after generation), a token available duration (the longest time a user can use a token), a maximum number of tokens (an upper limit on the number of tokens in the token bucket), and a token generation frequency.
And the server configures the token bucket according to the token configuration information and instructs the token bucket to generate the token according to the token configuration information. The token has a token identification, and a sortedZset data structure of Redis records the token identification, and the sortedZset data structure is used for token management.
It is emphasized that, to further ensure the privacy and security of the token bucket configuration information, the token bucket configuration information may also be stored in a node of a block chain.
The block chain referred by the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Step S202, receiving an access request sent by a user terminal.
Specifically, the user may operate the user terminal, trigger the access request, and send the access request to the server by the user terminal. For example, in a purchasing scenario of an e-commerce, a user operates a user terminal to browse a certain product and trigger an access request. The server maintains the operation of the e-commerce platform, and the access request is sent to the server to wait for processing. The access request may include a terminal identification. The terminal identifier is used to identify a terminal initiating the access request, and may also be a user account logged in on the user terminal.
Step S203, access check is carried out on the access request through Redis.
Specifically, after receiving the sent token, the user terminal may implement access or call to the interface, and after sending a token, the server writes the terminal identifier into the token identifier of the token in the Redis, so as to mark whether the token is occupied. The token identifier of the unoccupied token exists in Redis in isolation, and no terminal identifier is stored correspondingly.
And the server inquires whether available tokens exist in the token bucket through Redis so as to perform access check on the access request. The available tokens are tokens that can be sent to the user terminal. If an isolated token exists in the token bucket or a token which is sent to the user terminal and is still valid exists, an available token exists in the token bucket, and the access request is verified to be passed; otherwise there is no token available and the access request is blocked.
And step S204, when the access request passes the access check, extracting the token from the token bucket.
In particular, when the access request passes the access check, the server extracts available tokens from the token bucket that can be sent to the user terminal. The extracted available tokens are tokens in the token bucket that are not already occupied or are already occupied by the user terminal, but are still valid.
And step S205, sending the extracted token to the user terminal to enable the user terminal to realize access, and recording the sending timestamp and the token use duration of the token in Redis.
Specifically, the server sends the extracted token to the user terminal, and the user terminal can realize network access or interface calling after obtaining the token. If the sent token is the token which is not occupied yet, the server needs to obtain the time when the token is sent at the same time so as to generate a sending time stamp according to the time. The token may be used multiple times, and each time the token is sent, a send timestamp may be generated, and multiple timestamps for the same token may be recorded by the Redis.
And the server inquires the token identification of the sent token in Redis, and correspondingly stores the sending timestamp and the terminal identification with the inquired token identification. And the server simultaneously records the time of the user terminal for using the token to obtain the token use duration, and the token use duration is correspondingly stored with the token identifier in the Redis.
And step S206, clearing the token of the token bucket according to the sending time stamp and the token use duration stored in the Redis.
Specifically, the sortedZset data structure of Redis may sort the information stored in Redis with the transmission timestamp as a score. If the sending time stamp is only generated by the time when the token is sent for the first time, sequencing can be carried out according to the sequence of the time; and if the sending time stamps are generated every time the token is sent, sequencing the time according to the recorded first sending time stamp. The sequencing is carried out by sending the timestamps, so that tokens which can be cleared can be found quickly when the tokens are cleared, and the token clearing speed is increased.
Redis may dynamically clear tokens in the token bucket, and specifically, may trigger a token clearing instruction after the token bucket generates a new token or the server sends a token. The server traverses the sending timestamp in Redis according to the token clearing instruction, determines the token exceeding the validity period according to the sending timestamp and the token valid duration and deletes the token; redis may also traverse token usage durations to determine tokens for which token usage durations exceed token availability durations, and delete the determined tokens.
In the embodiment, the token bucket configuration information is acquired from the dynamic configuration management server for managing the token bucket, so that the token bucket is configured, when the token bucket configuration information changes dynamically, the token bucket can be updated dynamically, and the token bucket is used for access control, so that the flexibility of access control is improved; receiving an access request sent by a user terminal, carrying out access verification, extracting a token from the token bucket after the verification is passed, and sending the token to the user terminal, so that the user terminal can realize interface access, thereby realizing access control; redis can record the sending time stamp and the using time of the token, and the token can be dynamically cleared according to the time stamp and the using time of the token, so that the flexibility of the token bucket is improved, and the flexibility of access control is further improved.
Further, the step S201 may include: monitoring token bucket configuration information corresponding to a token bucket in a dynamic configuration management server; and when the token bucket configuration information is monitored to be changed, acquiring the current token bucket configuration information from the dynamic configuration server to dynamically configure the token bucket.
In particular, token bucket configuration information may be dynamically changed to accommodate dynamic changes in access traffic in a network environment. The server monitors token bucket configuration information corresponding to the token bucket in the dynamic configuration management server. And when the token bucket configuration information changes, obtaining the token bucket configuration information at the current moment from the dynamic configuration management server so as to update the configuration of the token bucket. When the token bucket has just completed a configuration update, there may be more than one token under token bucket configuration information in the token bucket.
In one embodiment, the dynamic configuration management server may be built based on apollo (apollo), which is a configuration management center, and may centrally manage configurations of different application environments and different clusters, and the configurations may be valid in real time after being modified, without requiring a system to be offline and restarted. A dynamic configuration management server is constructed based on Apollo, so that the server can modify the token bucket in real time, and the change of access flow can be responded to in real time.
In this embodiment, the token bucket configuration information corresponding to the token bucket in the dynamic configuration management server is monitored, so that the token bucket is updated immediately when the token bucket configuration information changes, thereby immediately adapting to dynamic changes of access traffic in a network environment and improving flexibility of access control.
Further, after the step S201, the method may further include: instructing the token bucket to generate a token according to the token bucket configuration information; and when the token bucket generates the token, clearing the token of the token bucket according to the sending timestamp and the token use duration stored in the Redis.
Specifically, the server configures the token bucket according to the token bucket configuration information and instructs the token bucket to generate a new token according to the token generation frequency in the token bucket configuration information. The token bucket may also trigger a token clear instruction while generating new tokens. The server traverses the sending timestamp in Redis according to the token clearing instruction, determines the token exceeding the validity period according to the sending timestamp and the token valid duration and deletes the token; redis may also traverse token usage durations to determine tokens for which token usage durations exceed token availability durations, and delete the determined tokens.
In this embodiment, the token may also be dynamically cleared when a new token is generated, which improves the flexibility of the token bucket, thereby further improving the flexibility of access control.
Further, after the step S202, the method may further include: determining whether access verification is needed at the current moment according to the token bucket configuration information; and when the access check is needed, performing the access check on the access request through Redis.
Specifically, the token bucket configuration information may further set a time period in which access verification is required, for example, a verification switch function is set, the verification switch function may be a piecewise function, if the current verification switch function is not 0, access verification is required, and the server verifies the access request through Redis; if the switch function at the present time is 0, access check is not necessary.
In this embodiment, a time period required for access verification can be set according to the token bucket configuration information, and access verification is performed when access verification is required, so that flexibility of access control is improved.
Further, the step S203 may include: extracting a terminal identification from the access request; inquiring the terminal identification in Redis; and when the terminal identification is not inquired and an isolated token exists in the token bucket, determining that the access request passes the access check.
Wherein the isolated token may be a token that has not been sent to the user terminal after generation.
Specifically, after the token is sent to the user terminal, the server stores the terminal identifier of the user terminal and the token identifier of the token in the Redis in a corresponding manner, and the generated token which is not sent to the user terminal is an isolated token.
The server extracts the terminal identification from the access request, inquires the terminal identification in Redis, and if the terminal identification is not inquired, inquires whether an isolated token exists in the token bucket, if the isolated token exists, the token bucket still can be issued, and the access threshold is not reached, the user terminal can continue to access, and the access request passes the access check.
If the terminal identification is not inquired and no isolated token exists in the token bucket, the token in the token bucket is occupied, and the access request is blocked temporarily.
In this embodiment, when the terminal identifier is not queried in the Redis and an isolated token exists, it indicates that a token that can be issued exists in the token bucket, and the access request is verified to pass, thereby ensuring the implementation of access control.
After the step of querying the terminal identifier in the Redis, the method further includes: when the terminal identification is inquired, the token use duration stored corresponding to the inquired terminal identification is obtained; comparing the token use duration with a preset token available duration; and when the token use duration is less than the token available duration, determining that the access request passes the access check.
Specifically, when the terminal identifier is queried, it indicates that the user terminal has already obtained a token from the token bucket and that the token still exists in the token bucket. And the server extracts the token use duration from the information which is stored in the Redis and corresponds to the terminal identification, and compares the token use duration with the preset token available duration. If the token use duration is less than the token available duration, the token obtained by the user terminal before can still be used, the token can be continuously sent to the user terminal for use, and the access request passes the access check; when sending the token, the server sends the token to the user terminal so as to effectively utilize the token and prevent the user terminal from occupying a plurality of tokens.
In this embodiment, when the terminal identifier is queried and the use duration of the token stored corresponding to the terminal identifier is less than the available duration of the token, it indicates that the user terminal has obtained the token and the token is still available, and the access request is verified to pass, thereby ensuring the implementation of access control.
Further, after step S205, the method may further include: monitoring access of a user terminal; and when the user terminal is monitored to finish accessing, recycling the token to the token bucket.
Specifically, after the server sends the token to the user terminal, access monitoring is performed on the user terminal, and if the user terminal finishes network access or calls an interface, the token sent to the user terminal is recycled to the token bucket.
By instantly recycling the token, the user terminal is prevented from holding the token for a long time but not accessing the network or calling an interface, the token recycled to the token bucket can be dynamically cleared, and the controllability of the token bucket is ensured.
In the embodiment, the token is immediately recycled when the user terminal finishes accessing, so that the controllability of the token bucket is ensured.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the computer program is executed. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
With further reference to fig. 3, as an implementation of the method shown in fig. 2, the present application provides an embodiment of an access control apparatus, which corresponds to the embodiment of the method shown in fig. 2, and which can be applied to various electronic devices.
As shown in fig. 4, the access control device 300 according to the present embodiment includes: an information acquisition module 301, a request receiving module 302, a request checking module 303, a token extraction module 304, a token sending module 305 and a token clearing module 306, wherein:
an information obtaining module 301, configured to obtain token bucket configuration information from the dynamic configuration management server, so as to configure the token bucket according to the token bucket configuration information.
A request receiving module 302, configured to receive an access request sent by a user terminal.
And a request checking module 303, configured to perform access checking on the access request through Redis.
And a token extraction module 304, configured to extract a token from the token bucket when the access request passes the access check.
And the token sending module 305 is configured to send the extracted token to the user terminal to enable the user terminal to implement access, and record a sending timestamp and a token use duration of the token in Redis.
And the token clearing module 306 is configured to perform token clearing on the token bucket according to the sending timestamp and the token use duration stored in the Redis.
In the embodiment, the token bucket configuration information is acquired from the dynamic configuration management server for managing the token bucket, so that the token bucket is configured, when the token bucket configuration information changes dynamically, the token bucket can be updated dynamically, and the token bucket is used for access control, so that the flexibility of access control is improved; receiving an access request sent by a user terminal, carrying out access verification, extracting a token from the token bucket after the verification is passed, and sending the token to the user terminal, so that the user terminal can realize interface access, thereby realizing access control; redis can record the sending time stamp and the using time of the token, and the token can be dynamically cleared according to the time stamp and the using time of the token, so that the flexibility of the token bucket is improved, and the flexibility of access control is further improved.
In some optional implementation manners of this embodiment, the information obtaining module 301 includes: information monitoring submodule and information acquisition submodule, wherein:
and the information monitoring submodule is used for monitoring token bucket configuration information corresponding to the token bucket in the dynamic configuration management server.
And the information acquisition submodule is used for acquiring the current token bucket configuration information from the dynamic configuration server to dynamically configure the token bucket when the token bucket configuration information is monitored to change.
In this embodiment, the token bucket configuration information corresponding to the token bucket in the dynamic configuration management server is monitored, so that the token bucket is updated immediately when the token bucket configuration information changes, thereby immediately adapting to dynamic changes of access traffic in a network environment and improving flexibility of access control.
In some optional implementations of this embodiment, the access control apparatus 300 further includes: an indication module and a purge module, wherein:
and the indication module is used for indicating the token bucket to generate the token according to the token bucket configuration information.
And the clearing module is used for clearing the tokens from the token bucket according to the sending timestamp and the token service duration stored in the Redis when the token bucket generates the tokens.
In this embodiment, the token may also be dynamically cleared when a new token is generated, which improves the flexibility of the token bucket, thereby further improving the flexibility of access control.
In some optional implementations of this embodiment, the access control apparatus 300 further includes: a verification determination module, wherein:
and the verification determining module is used for determining whether access verification is required at the current moment according to the token bucket configuration information.
The request checking module 303 is further configured to perform access checking on the access request through Redis when access checking is required.
In this embodiment, a time period required for access verification can be set according to the token bucket configuration information, and access verification is performed when access verification is required, so that flexibility of access control is improved.
In some optional implementation manners of this embodiment, the request check module 303 includes: an identification extraction sub-module, an identification query sub-module and a request determination sub-module, wherein:
and the identifier extraction submodule is used for extracting the terminal identifier from the access request.
And the identification query submodule is used for querying the terminal identification in Redis.
And the request determining submodule is used for determining that the access request passes the access check when the terminal identification is not inquired and an isolated token exists in the token bucket.
In this embodiment, when the terminal identifier is not queried in the Redis and an isolated token exists, it indicates that a token that can be issued exists in the token bucket, and the access request is verified to pass, thereby ensuring the implementation of access control.
In some optional implementation manners of this embodiment, the request check module 303 further includes: the device comprises a time length obtaining submodule, a time length comparing submodule and a determining submodule, wherein:
and the time length obtaining submodule is used for obtaining the token service time length which is correspondingly stored with the inquired terminal identification when the terminal identification is inquired.
And the time length comparison submodule is used for comparing the token use time length with the preset token available time length.
And the determining submodule is used for determining that the access request passes the access check when the token use duration is less than the token available duration.
In this embodiment, when the terminal identifier is queried and the use duration of the token stored corresponding to the terminal identifier is less than the available duration of the token, it indicates that the user terminal has obtained the token and the token is still available, and the access request is verified to pass, thereby ensuring the implementation of access control.
In some optional implementations of this embodiment, the access control apparatus 300 further includes: visit monitoring module, token recovery module, wherein:
and the access monitoring module is used for monitoring the access of the user terminal.
And the token recycling module is used for recycling the token to the token bucket when the condition that the user terminal finishes accessing is monitored.
In the embodiment, the token is immediately recycled when the user terminal finishes accessing, so that the controllability of the token bucket is ensured.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 4, fig. 4 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It is noted that only computer device 4 having components 41-43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, the memory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, the memory 41 is generally used for storing an operating system installed in the computer device 4 and various types of application software, such as computer readable instructions of an access control method. Further, the memory 41 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute computer readable instructions stored in the memory 41 or process data, for example, execute computer readable instructions of the access control method.
The network interface 43 may comprise a wireless network interface or a wired network interface, and the network interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.
The computer device provided in this embodiment may perform the steps of the above-described access control method. Here, the steps of the access control method may be the steps in the access control method of each of the above embodiments.
In the embodiment, the token bucket configuration information is acquired from the dynamic configuration management server for managing the token bucket, so that the token bucket is configured, when the token bucket configuration information changes dynamically, the token bucket can be updated dynamically, and the token bucket is used for access control, so that the flexibility of access control is improved; receiving an access request sent by a user terminal, carrying out access verification, extracting a token from the token bucket after the verification is passed, and sending the token to the user terminal, so that the user terminal can realize interface access, thereby realizing access control; redis can record the sending time stamp and the using time of the token, and the token can be dynamically cleared according to the time stamp and the using time of the token, so that the flexibility of the token bucket is improved, and the flexibility of access control is further improved.
The present application provides yet another embodiment, which provides a computer-readable storage medium having stored thereon computer-readable instructions executable by at least one processor to cause the at least one processor to perform the steps of the access control method as described above.
In the embodiment, the token bucket configuration information is acquired from the dynamic configuration management server for managing the token bucket, so that the token bucket is configured, when the token bucket configuration information changes dynamically, the token bucket can be updated dynamically, and the token bucket is used for access control, so that the flexibility of access control is improved; receiving an access request sent by a user terminal, carrying out access verification, extracting a token from the token bucket after the verification is passed, and sending the token to the user terminal, so that the user terminal can realize interface access, thereby realizing access control; redis can record the sending time stamp and the using time of the token, and the token can be dynamically cleared according to the time stamp and the using time of the token, so that the flexibility of the token bucket is improved, and the flexibility of access control is further improved.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.
Claims (10)
1. An access control method, comprising the steps of:
obtaining token bucket configuration information from a dynamic configuration management server to configure a token bucket according to the token bucket configuration information;
receiving an access request sent by a user terminal;
performing access check on the access request through Redis;
extracting a token from the token bucket when the access request passes an access check;
sending the extracted token to the user terminal to enable the user terminal to realize access, and recording a sending timestamp and a token use duration of the token in the Redis;
and clearing the token of the token bucket according to the sending time stamp and the token use duration stored in the Redis.
2. The access control method of claim 1, wherein the step of obtaining token bucket configuration information from a dynamic configuration management server to configure a token bucket according to the token bucket configuration information comprises:
monitoring token bucket configuration information corresponding to a token bucket in the dynamic configuration management server;
and when the token bucket configuration information is monitored to change, acquiring current token bucket configuration information from the dynamic configuration server to dynamically configure the token bucket.
3. The access control method of claim 1, wherein after the step of obtaining token bucket configuration information from a dynamic configuration management server to configure a token bucket according to the token bucket configuration information, further comprising:
instructing the token bucket to generate tokens according to the token bucket configuration information;
and when the token bucket generates tokens, clearing the tokens of the token bucket according to the sending timestamp and the token service duration stored in the Redis.
4. The access control method according to claim 1, wherein after the step of receiving the access request sent by the user terminal, the method further comprises:
determining whether access verification is needed at the current moment according to the token bucket configuration information;
and when the access check is needed, executing the step of performing the access check on the access request through Redis.
5. The access control method according to claim 1, wherein the step of performing access check on the access request by Redis comprises:
extracting a terminal identification from the access request;
querying the terminal identification in the Redis;
and when the terminal identification is not inquired and an isolated token exists in the token bucket, determining that the access request passes the access check.
6. The access control method according to claim 5, wherein after the step of querying the terminal identity in the Redis, further comprising:
when the terminal identification is inquired, the token use duration stored corresponding to the inquired terminal identification is obtained;
comparing the token use duration with a preset token available duration;
and when the token use duration is less than the token available duration, determining that the access request passes the access check.
7. The access control method according to claim 1, wherein after the step of sending the extracted token to the user terminal to enable the user terminal to access and recording the sending timestamp and the token usage duration of the token in the Redis, the method further comprises:
monitoring access of the user terminal;
and when the user terminal is monitored to finish the access, recovering the token to the token bucket.
8. An access control apparatus, comprising:
the information acquisition module is used for acquiring token bucket configuration information from a dynamic configuration management server so as to configure a token bucket according to the token bucket configuration information;
the request receiving module is used for receiving an access request sent by a user terminal;
the request checking module is used for carrying out access checking on the access request through Redis;
the token extraction module is used for extracting tokens from the token bucket when the access request passes the access check;
the token sending module is used for sending the extracted token to the user terminal so as to enable the user terminal to realize access, and recording a sending timestamp and a token use duration of the token in the Redis;
and the token clearing module is used for clearing the tokens of the token bucket according to the sending timestamp and the token service duration stored in the Redis.
9. A computer device comprising a memory having computer readable instructions stored therein and a processor which when executed implements the steps of the access control method of any one of claims 1 to 7.
10. A computer-readable storage medium, having computer-readable instructions stored thereon, which, when executed by a processor, implement the steps of the access control method of any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011333722.0A CN112468409A (en) | 2020-11-24 | 2020-11-24 | Access control method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011333722.0A CN112468409A (en) | 2020-11-24 | 2020-11-24 | Access control method, device, computer equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112468409A true CN112468409A (en) | 2021-03-09 |
Family
ID=74798828
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011333722.0A Pending CN112468409A (en) | 2020-11-24 | 2020-11-24 | Access control method, device, computer equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112468409A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113194079A (en) * | 2021-04-23 | 2021-07-30 | 平安科技(深圳)有限公司 | Login verification method, device, equipment and storage medium |
CN113364798A (en) * | 2021-06-21 | 2021-09-07 | 浪潮云信息技术股份公司 | Redis-based user access frequency processing device |
CN114124399A (en) * | 2021-10-22 | 2022-03-01 | 杭州安恒信息安全技术有限公司 | Data access method and device and computer equipment |
CN114357481A (en) * | 2021-12-29 | 2022-04-15 | Oppo广东移动通信有限公司 | Access method and device of storage circuit, computer equipment and storage medium |
CN115277577A (en) * | 2022-09-28 | 2022-11-01 | 平安银行股份有限公司 | Data processing method, data processing device, computer equipment and computer readable storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656937A (en) * | 2015-11-03 | 2017-05-10 | 电信科学技术研究院 | Access control method, access control token issuing method and device |
CN111314238A (en) * | 2020-02-03 | 2020-06-19 | 网银在线(北京)科技有限公司 | Token management method and device, storage medium and electronic device |
-
2020
- 2020-11-24 CN CN202011333722.0A patent/CN112468409A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656937A (en) * | 2015-11-03 | 2017-05-10 | 电信科学技术研究院 | Access control method, access control token issuing method and device |
WO2017076165A1 (en) * | 2015-11-03 | 2017-05-11 | 电信科学技术研究院 | Access control method, and access token issuing method and device |
CN111314238A (en) * | 2020-02-03 | 2020-06-19 | 网银在线(北京)科技有限公司 | Token management method and device, storage medium and electronic device |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113194079A (en) * | 2021-04-23 | 2021-07-30 | 平安科技(深圳)有限公司 | Login verification method, device, equipment and storage medium |
CN113194079B (en) * | 2021-04-23 | 2022-09-09 | 平安科技(深圳)有限公司 | Login verification method, device, equipment and storage medium |
CN113364798A (en) * | 2021-06-21 | 2021-09-07 | 浪潮云信息技术股份公司 | Redis-based user access frequency processing device |
CN114124399A (en) * | 2021-10-22 | 2022-03-01 | 杭州安恒信息安全技术有限公司 | Data access method and device and computer equipment |
CN114124399B (en) * | 2021-10-22 | 2024-04-16 | 杭州安恒信息安全技术有限公司 | Data access method, device and computer equipment |
CN114357481A (en) * | 2021-12-29 | 2022-04-15 | Oppo广东移动通信有限公司 | Access method and device of storage circuit, computer equipment and storage medium |
CN115277577A (en) * | 2022-09-28 | 2022-11-01 | 平安银行股份有限公司 | Data processing method, data processing device, computer equipment and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112468409A (en) | Access control method, device, computer equipment and storage medium | |
CN111800462A (en) | Micro-service instance processing method and device, computer equipment and storage medium | |
CN111813573B (en) | Communication method of management platform and robot software and related equipment thereof | |
CN113259342A (en) | Login verification method, device, computer equipment and medium | |
CN104679824A (en) | Webpage generating method and webpage generating system of network platform | |
CN114143191A (en) | Distributed gateway-based micro-service arranging method and device and related equipment | |
CN113791735A (en) | Video data storage method and device, computer equipment and storage medium | |
CN112860662A (en) | Data blood relationship establishing method and device, computer equipment and storage medium | |
CN111813418A (en) | Distributed link tracking method, device, computer equipment and storage medium | |
CN108520401B (en) | User list management method, device, platform and storage medium | |
CN113282591B (en) | Authority filtering method, authority filtering device, computer equipment and storage medium | |
CN114996675A (en) | Data query method and device, computer equipment and storage medium | |
CN114567600A (en) | Traffic management method and related equipment | |
CN112256760B (en) | Data prediction method and device, computer equipment and storage medium | |
CN112002352B (en) | Random music playing method and device, computer equipment and storage medium | |
CN103067398A (en) | Method and equipment for achieving third-party application accessing user data | |
CN108667647B (en) | Method and device for setting device parameters and server | |
CN114070847A (en) | Current limiting method, device, equipment and storage medium of server | |
CN113434824B (en) | Software service authorization management method, device, equipment and storage medium | |
CN108241732B (en) | Electronic device, information processing method, and storage medium | |
CN113360172B (en) | Application deployment method, device, computer equipment and storage medium | |
CN115378806A (en) | Flow distribution method and device, computer equipment and storage medium | |
CN112632192A (en) | Node maintenance method and device, computer equipment and medium | |
CN103067365A (en) | Set top box, client-side, system and method for virtual desktop access | |
CN115330396A (en) | Payment state acquisition method and device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210309 |
|
WD01 | Invention patent application deemed withdrawn after publication |