Patent CNB - 一种用户权限分配方法和一种用户权限控制方法 A user rights assignment method ... - Google PatentsCN BGrantCN Aug 19, 2015Nov 20, 2007Nov 20, 2007.7, CN
B, CN B, CN , CN-B-, CN B, CNB, CN, CN.7, ,
一种用户权限分配方法和一种用户权限控制方法 A user rights assignment method and a user access control method translated from CN
B 本发明提供了一种用户权限控制方法,包括:从预置的用户角色映射关系表中获取相应用户的角色;提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识;拦截所述用户提交的资源访问请求,获得所述资源的资源代码;将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求。 The present invention provides a user access control method, comprising: obtaining the user's role from the User Role
and extracting the role of access to resources, the access to resources defined using regular expressions, and recorded in the file permissions define the resource by a unique code t resource access requests submitted by the user to intercept, access to source c the resources and access to the source code of the role carried out match, if the match is successful, the resource is
if the match fails, the request is denied access to resources of the user. 本发明以可插入的方式应用于多种系统架构中,应用范围广、可以灵活定义并能显著降低系统开发和实施的成本。 The present invention is used in many ways can be inserted into the system architecture, the wide range of applications can be flexibly defined and can significantly reduce the cost of system development and implementation.
1. 一种用户权限控制方法,其特征在于,包括: 从预置的用户角色映射关系表中获取相应用户的角色;所述用户角色映射关系表包括用户名字段、密码字段和角色字段; 提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; 拦截所述用户提交的资源访问请求,获得所述资源的资源代码,所述资源包括用户界面、界面元素和系统应用接口; 将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求;从全局变量中读取所述资源访问权限的正则表达式,与所述资源代码进行正则表达式匹配。 A user access control method, comprising: obtaining the user's role from the User Role
and the user role mapping table includes the user name field, password
extracting the role of access to resources, the access to resources defined using regular expressions, and recorded in the file permissions define the resource by a unique code t resource access requests submitted to intercept the user to obtain the source code resources above, the resource includes a user interface, interface elements and system a resource access the source code and the character to match, if the match is successful, then returned to the
if match fail, refuse resource access read access to the resource from the global variable in a regular expression, and the source code regular expression matching.
2. 如权利要求1所述的方法,其特征在于,还包括: 将所述用户角色映射关系表读至内存中。 The method according to claim 2, characterized in that it further comprises: the user roles mapping table is read into memory.
3. 如权利要求2所述的方法,其特征在于,还包括: 将当前用户的角色和资源访问权限记录至全局变量中。 3. The method according to claim, characterized by further comprising: Roles and resource access privileges of the current user's record to the global variable.
4. 如权利要求1、2或3所述的方法,其特征在于,所述资源代码由字符串组成。 4. A method as claimed in claim 2 or claim 3, characterized in that the source code by the strings.
5. -种用户权限控制装置,其特征在于,包括: 角色获取模块,用于从预置的用户角色映射关系表中获取相应用户的角色;所述用户角色映射关系表包括用户名字段、密码字段和角色字段; 权限获取模块,用于提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; 访问资源确定模块,用于拦截所述用户提交的资源访问请求,获得所述资源的资源代码,所述资源包括用户界面、界面元素和系统应用接口; 匹配模块,用于将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求;所述匹配模块包括: 读取子模块,用于从全局变量中读取所述资源访问权限的正则表达式; 表达式匹配子模块,用于将所述正则表达式与所述资源代码进行正则表达式匹配。 5. - kind of user access control device, comprising: the role of obtaining module for obtaining the user's role from the User Role mapping the user role mapping table includes the user name field, password fiel Permissions acquisition module for extracting the role of access to resources, the access to resources defined using regular expressions, and recorded in the file permissions define the resource by a unique code t access to resources determination module for resource access requests submitted to intercept the user to obtain source code of the resource, the resource includes a user interface, interface elements and system a matching module for the source code and access to resources to match the role, if the match is successful, then returned to the
if the match fails, the resource is denied access to a user' the matching module includes: a reading sub-module for the reading the global variable acces expression matching sub module for the regular expression with the resource code regular expression matching.
6. 如权利要求5所述的装置,其特征在于,还包括: 内存写入模块,用于将所述用户角色映射关系表读至内存中。 6. The apparatus according to claim 5, characterized in that it further comprises: memory write modules for the user role mapping table read into memory.
7. 如权利要求6所述的装置,其特征在于,还包括: 共享记录模块,用于将当前用户的角色和资源访问权限记录至全局变量中。 7. The apparatus according to claim 6, characterized by further comprising: a shared recording module for role and resource access privileges of the current user's record to the global variable.
8. 如权利要求5、6或7所述的装置,其特征在于,所述资源代码由字符串组成。 8. The apparatus according to claim 5, 6 or claim 7, characterized in that the source code by the strings.
-种用户权限分配方法和一种用户权限控制方法 - Kind of user rights assignment method and a user access control method
技术领域 TECHNICAL FIELD
[0001] 本发明涉及用户权限控制领域,特别是涉及一种用户权限分配的方法和装置,以及,一种用户权限控制的方法和装置。 [0001] The present invention relates to the field of user access control, and more particularly to a method and apparatus for user rights assignments, as well as, a method and apparatus for controlling user rights.
背景技术 Background technique
[0002] 在应用系统开发中,为应用系统加入权限控制功能,使不同的用户有不同的资源访问权限,非常重要的一项功能。 [0002] In application development, adding permissions for the application of the system control function, so that different users have different access to resources, a very important function. 现有技术中,应用系统的权限控制功能往往与各个资源访问模块是紧密耦合的,即针对每个资源访问模块添加相应的权限检验代码,将程序功能和权限检验混淆在一起,显然在这种方式下,对权限控制功能的扩展、修改难度大,并且只能保护单一的资源类型。 Art, permission application system control functions are often associated with each resource access modules are tightly coupled, ie validation code to add the appropriate permissions for each resource access module, the program features and permissions for testing mixed together, apparently in this By the way, for access control extension, modification difficult, and can only protect a single resource type.
[0003] 在这种情况下,现有的Tomcat通过提供Realm支持以解决上述问题。 [0003] In this case, the existing Tomcat Realm by providing support to solve the above problems. Realm类似于Unix里面的group.在Unix中,一个group对应着系统的一定资源,某个group不能访问不属于它的资源。 Realm similar to the Unix inside the group. In Unix, a group corresponds to a certain system resources, a group can not access the resources do not belong to it. Tomcat用Realm来对不同的应用(类似系统资源)赋给不同的用户(类似group)。 Tomcat Realm to use assigned to different users for different applications (similar to the system resources) (similar to the group). 没有权限的用户则不能访问这个应用。 Unprivileged users will not have access to this application. 具体而言,Tomcat提供三种Realm,1 : JDBCRealm,这个Realm将用户信息存在数据库里,通过JDBC获得用户信息来进行验证。 Specifically, Tomcat provides three Realm, 1: JDBCRealm, this Realm will exist in the user information database to obtain user information via JDBC to verify. 2 : JNDIRealm,用户信息存在基于LDAP的服务器里,通过JNDI获取用户信息。 2: JNDIRealm, user information exists in an LDAP-based server, access to user information through JNDI. 3 :Mem〇ryRealm, 用户信息存在一个xml文件里,当manager应用验证用户时即使用此种Realm.通过Realm 对访问某个应用的客户进行验证。 3: Mem〇ryRealm, user information there is a xml file, when the manager application to authenticate the user that the use of such Realm Realm access to an application by the customer for verification.
[0004] 然而,Tomcat Realm必须在Web服务器软件Tomcat的配置文件中定义,因此它只支持基于B/S架构的web应用程序,并且严重依赖与Web服务器软件Tomcat,只能应用与部署在Tomcat的web应用程序中,相应地,Tomcat Realm也只支持针对Web应用URL的权限控制。 [0004] However, Tomcat Realm Web server software must be defined in the Tomcat configuration file, so it only supports the web applications based on B / S architecture, and is heavily dependent on the Web server software Tomcat, can only be applied and deployed in the Tomcat web applications, correspondingly, Tomcat Realm privileges only supports URL for the Web application control. 并且,它在定义某个角色可以访问哪些URL时,只有两种方式:URL列表和*号通配符,因此Tomcat Realm的权限定义比较单一。 And, when it is in the definition of a role which can be accessed URL, only two ways: URL list and the asterisk wildcard, so permissions define Tomcat Realm relatively simple.
[0005] 总之,目前需要本领域技术人员迫切解决的一个技术问题就是:如何能够创新的提出一种可以适用于多种系统架构,应用范围广、可以灵活定义并且开发成本较低的权限分配与控制方法。 [0005] In summary, a technical problem to those skilled in the current urgent need to address is: How can the proposed innovation can be applied to a variety of system architecture, a wide range of applications, you can flexibly define and assign permissions to lower development costs and control methods.
发明内容 SUMMARY OF THE INVENTION
[0006] 本发明所要解决的技术问题是提供一种用户权限分配的方法和用户权限控制的方法,可以以可插入的方式应用于多种系统架构中,应用范围广、可以灵活定义并能显著降低系统开发和实施的成本。 [0006] The technical problem to be solved by the present invention is to provide a method for user rights assignments methods and user access control, can be used in many ways can be inserted into the system architecture, the wide range of applications can be flexibly defined and significantly reduce the cost of system development and implementation.
[0007] 本发明还提供了一种用户权限分配的装置和用户权限控制的装置,用以保证上述方法在实际中的实现及应用。 [0007] The present invention also provides a device and user access control means a user rights assignments to ensure realization of the above-described method and its application in practice.
[0008] 为了解决上述问题,本发明公开了一种用户权限分配的方法,包括: [0008] In order to solve the above problems, the present invention discloses a method for user rights assignments, including:
[0009] 定义用户的角色,生成用户角色映射关系表; [0009] define user roles, generate use
[0010] 采用正则表达式定义所述角色的资源访问权限,并记录为权限定义文件,所述资源由唯一的资源代码进行标识。 [0010] use regular expressions to define the role of access to resources, and record the permissions definition file, the resource identified by a unique code to identify resources.
[0011] 优选的,所述用户角色映射关系表包括用户名字段、密码字段和角色字段。 [0011] Preferably, the user role mapping table includes the user name field, password field and the role of field.
[0012] 优选的,所述权限定义文件为XML配置文件。 [0012] Preferably, the permissions definition file as XML configuration files.
[0013] 本发明实施例还公开了一种用户权限分配装置,包括: [0013] Embodiments of the present invention also discloses a user rights assignment apparatus comprising:
[0014] 用户角色定义模块,用于定义用户的角色,并生成用户角色映射关系表; [0014] The user role definition module for defining user roles, and generate use
[0015] 角色权限定义模块,用于以正则表达式定义所述角色的资源访问权限,并记录为XML文件,所述资源由唯一的资源代码进行标识。 [0015] role permissions definition module for regular expressions to define the role of access to resources, and recorded as XML files, the resource identified by a unique code to identify resources.
[0016] 优选的,所述用户角色映射关系表包括用户名字段、密码字段和角色字段。 [0016] Preferably, the user role mapping table includes the user name field, password field and the role of field.
[0017] 优选的,所述权限定义文件为XML配置文件。 [0017] Preferably, the permissions definition file as XML configuration files.
[0018] 本发明实施例还公开了一种用户权限控制方法,包括: [0018] Embodiments of the present invention also discloses a user access control method, comprising:
[0019] 从预置的用户角色映射关系表中获取相应用户的角色; [0019] to obtain the user's role from the User Role mapping
[0020] 提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; [0,020] to extract the character of access to resources, the resource access using regular expressions to define and record the permissions definition file in the resource the only resou
[0021] 拦截所述用户提交的资源访问请求,获得所述资源的资源代码,所述资源包括用户界面、界面元素和系统应用接口; Resource Access [0021] interception of the user submits a request to obtain source code of the resource, the resource includes a user interface, interface elements and system a
[0022] 将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求。 [0022] The resource access the source code of the character to match, if the match is successful, then returned to the
if the match fails, the request is denied access to resources of the user.
[0023] 优选的,所述的方法,还包括: A preferred method of [0023], wherein, further comprising:
[0024] 将所述用户角色映射关系表读至内存中。 [0024] The role of the user mapping table is read into memory.
[0025] 优选的,所述的方法,还包括: A preferred method of [0025], wherein, further comprising:
[0026] 将当前用户的角色和资源访问权限记录至全局变量中。 [0026] The roles and resource access privileges of the current user's record to the global variable.
[0027] 优选的,所述匹配步骤包括: Preferably, said matching [0027] step comprises:
[0028] 从所述全局变量中读取所述资源访问权限的正则表达式,与所述资源代码进行正则表达式匹配。 [0028] read access to the resource from the global variable in a regular expression, and the source code regular expression matching.
[0029] 优选的,所述资源代码由字符串组成。 [0029] Preferably, the source code from the strings.
[0030] 本发明实施例还公开了一种用户权限控制装置,包括: [0030] Embodiments of the present invention also discloses a user access control device comprising:
[0031] 角色获取模块,用于从预置的用户角色映射关系表中获取相应用户的角色; [0031] role acquisition module for user roles from the preset mapping table to obtain the corresponding user'
[0032] 权限获取模块,用于提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; [0032] privilege acquisition module for extracting the role of access to resources, the access to resources defined using a regular expression, and recorded in the file permissions define the resource by a unique code t
[0033] 访问资源确定模块,用于拦截所述用户提交的资源访问请求,获得所述资源的资源代码,所述资源包括用户界面、界面元素和系统应用接口; [0033] access to the resource determination module for resource access requests submitted by the user to intercept, access to source code of the resource, the resource includes a user interface, interface elements and system a
[0034] 匹配模块,用于将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求。 [0034] The matching module for access to resources and the role of the source code to match, if the match is successful, then returned to the
if the match fails, the request is denied access to resources of the user.
[0035] 优选的,所述的装置,还包括: Preferably, said means [0035], further comprising:
[0036] 内存写入模块,用于将所述用户角色映射关系表读至内存中。 [0,036] memory write modules for the user role mapping between the table read to the memory.
[0037] 优选的,所述的装置,还包括: Preferably, said means [0037], further comprising:
[0038] 共享记录模块,用于将当前用户的角色和资源访问权限记录至全局变量中。 [0038] shared recording module for role and resource access privileges of the current user's record to the global variable.
[0039] 优选的,所述匹配模块包括: Preferably, said matching [0039] module comprises:
[0040] 读取子模块,用于从所述全局变量中读取所述资源访问权限的正则表达式; [0040] Read sub-module for reading the access to resources from the global variable in
[0041] 表达式匹配子模块,用于将所述正则表达式与所述资源代码进行正则表达式匹配。 [0041] The expression matching sub module for the regular expression with the resource code regular expression matching.
[0042] 与现有技术相比,本发明具有以下优点: [0042] Compared with the prior art, the invention has the following advantages:
[0043] 首先,本发明通过采用正则表达式来定义用户角色的资源访问权限,对用户角色的权限定义描述性强,非常灵活,并能支持多种粒度的访问控制; [0043] First, the present invention is a regular expression to define user access to resources through the use of roles, permissions user role definitions describe strong, very flexible, and can support a variety of gra
[0044] 其次,本发明只需要对正则表达式进行修改即可对系统权限进行维护或修改,操作方便; [0044] Next, the present invention requires only regular expressions can be modified to maintain or modify system permissions,
[0045] 再者,本发明中的受保护的资源采用资源代码唯一标识,采用当前被请求资源的资源代码与当前用户角色的被授权访问资源的正则表达式,即可匹配校验用户是否具备访问权限,简而言之即通过字符串的匹配即可实现校验操作,操作效率高,并能有效节约系统资源; [0045] Furthermore, the present invention is protected resource use source code that uniquely identifies, using a regular expression source code resources currently requested and the current user is authorized to access the resource roles, you can check whether the user has to match access verification operation can be realized in short that is, by matching the string, high operating efficiency, and can effectively save
[0046] 此外,本发明适用于不同的系统架构中,应用范围十分广泛,不受系统架构模式的限制; [0046] Further, the present invention is applicable to different system architectures, wide range of applications, not limited by the syste
[0047] 最后,应用本发明对应用系统的修改非常小,因而开发和实施成本是很低的。 [0047] Finally, modify the application of the present invention, the application system is very small, and thus the development and implementation costs are very low.
附图说明 Brief Description
[0048] 图1是本发明的一种用户权限分配方法实施例的流程图; [0048] FIG. 1 is a user rights assignment method of the present invention is a flowch
[0049] 图2是本发明的一种用户权限分配装置实施例的结构框图; [0049] FIG. 2 is a block diagram of one embodiment of the apparatus of the present invention, a us
[0050] 图3是本发明的一种用户权限控制方法实施例的流程图; [0050] FIG. 3 is a user-access control method of the present invention, an embodi
[0051] 图4是本发明的一种用户权限控制装置实施例的结构框图; [0051] FIG. 4 is a user-access control apparatus of the present invention is a block diagr
[0052] 图5是应用图4所示的优选实施例进行用户权限控制的流程图。 [0052] FIG. 5 is a preferred application shown in a flowchart of FIG Example user access control.
具体实施方式 DETAILED DESCRIPTION
[0053] 为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。 [0053] For the above-mentioned objects, features and advantages of the present invention will be more apparent from the accompanying drawings and the following specific embodiments of the present invention will be further described in detail.
[0054] 本发明可用于众多通用或专用的计算装置环境或配置中。 [0054] The present invention can be used in numerous general purpose or special purpose computing environments or configurations of the device. 例如:个人计算机、服务器计算机、手持设备或便携式设备、平板型设备、多处理器装置、包括以上任何装置或设备的分布式计算环境等等。 For example: personal computers, server computers, handheld or portable devices, tablet-type devices, multiprocessor device includes any device or devices distributed over computing environments, and so on.
[0055] 本发明可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。 [0055] The present invention may be executed by a computer executable computer instructions described in the general context, such as program modules. 一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。 Generally, program modules include that perform particular tasks or implement particular abstract data types routines, programs, objects, components, data structures and the like. 也可以在分布式计算环境中实践本发明,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。 The present invention may also be practiced in a distributed computing environment, in which a distributed computing environment by remote processing devices that are connected through a communications network to perform the task. 在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。 In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices in.
[0056] 本发明实施例的核心构思之一在于,通过正则表单式来定义角色对受保护资源的访问许可规则,通过业务拦截来实施访问控制,实现对用户界面,界面子元素,系统接口三种粒度的系统资源进行访问控制的一种权限分配和访问控制方法,用以快速地实施于各种系统架构中,并能够显著的降低开发和实施的成本。 [0056] One of the core idea of an embodiment of the present invention is that defined by the regular form-based roles licensing rules for access to protected resources, through business interception to implement access control, user interface, the interface sub-elements, system interfaces three system resources will be a kind of particle size distribution and access control permissions access control method for quickly implemented in a variety of system architectures, and can significantly reduce the cost of development and implementation.
[0057] 参照图1,示出了本发明的一种用户权限分配方法实施例的流程图,可以包括: [0057] Referring to Figure 1, shows a user rights assignment method of the present invention flowchart of one embodiment, may include:
[0058] 步骤101、定义用户的角色,生成用户角色映射关系表; [0058] Step 101, define user roles, generate use
[0059] 本步骤可以用于将用户和角色进行绑定,为用户分配角色,并记录用户与角色的映射关系。 [0059] This step can be used to bind users and roles, assign roles to users, and record the mapping between users and roles.
[0060] 例如,假设用户信息如下表所示: [0060] For example, assume that the user information is shown in the following table:
[0061] [0061]
[0062] 角色信息如下表所示: [0062] role of information in the following table:
[0063] [0063]
[0064] 定义相应用户的角色,生成用户角色映射关糸表为: [0064] defines the role of the user, generating user role mapping between Shito table:
[0065] [0065]
[0066] 可以理解的是,在本发明中,用户是权限的拥有者。 [0066] will be understood that, in the present invention, the user is the owner of rights. 角色是权限分配的单位与载体,角色还可以通过继承关系支持分级的权限实现。 Role permissions assigned units and carrier, the role can also be supported by the inheritance hierarchy of permissions to achieve. 例如,科长角色同时具有科长角色、科内不同业务人员角色。 For example, both the role of chief chief role, Branch business people in different roles.
[0067] 在实际中,用户的账号、密码等基本信息,以及用户被定义的角色都可以存放在一个用户角色映射关系表中,因而,优选的,所述用户角色映射关系表可以包括用户名字段、 密码字段和角色字段,例如,参见下表: [0067] In practice, the user name, password and other basic information, as well as user-defined roles can be stored in a user's role in the mapping table, therefore, it is preferred, the user role mapping table may include user name section, the password field and the role of the field, for example, see the following table:
[0068] [0068]
[0069] 其中,经理可以设置比较高级的权限,例如,继承库管员和采购员的角色,即具备三种角色的权限。 [0069] in which managers can set up more advanced permissions, for example, inherited the role of the librarian and the buyer, that have permission to three roles.
[0070] 步骤102、采用正则表达式定义所述角色的资源访问权限,并记录为权限定义文件; [0070] Step 102, the use of regular expressions to define the role of access to resources, and record the permiss
[0071] 其中,所述资源由唯一的资源代码进行标识。 [0071] wherein, the resources used by a unique identification code resources.
[0072] 本实施例所述权限可以理解为,对受保护的资源操作的访问许可(Access Permission),是绑定在特定的资源实例上的。 The privileges [0072] This embodiment can be understood as the operation to a protected resource access permissions (Access Permission), is bound to a particular resource instance. 对应地,访问策略(Access Strategy)和资源类别相关,不同的资源类别可能采用不同的访问模式(Access Mode)。 Correspondingly, the access policy (Access Strategy) and resource category related to different categories of resources may use different access modes (Access Mode). 例如,页面具有能打开、不能打开的访问模式,按钮具有可用、不可用的访问模式,文本编辑框具有可编辑、不可编辑的访问模式。 For example, the page has to open, not open access mode, the button has available, the access mode is unavailable, the text edit box has editable and non-editable access mode. 同一资源的访问策略可能存在排斥和包含关系。 Access Policy same resources may exist exclusion and inclusion relation. 例如,某个数据集的可修改访问模式就包含了可查询访问模式。 For example, a data set can be modified access patterns can query contains the access mode.
[0073] 公知的是,正则表达式是用于进行文本匹配的工具,通常由一些普通字符和一些元字符(metacharacters)组成。 [0073] It is well known, the regular expression is a tool for matching text, usually by some common characters and some meta characters (metacharacters) components. 普通字符包括大小写的字母和数字,而元字符则具有特殊的含义。 Normal characters include sensitive letters and numbers, while the metacharacters have special meaning. 正则表达式的匹配可以理解为,在给定的字符串中,寻找与给定的正则表达式相匹配的部分。 Regular expression matching can be understood as, in a given string, search given regular expression match parts. 有可能字符串里有不止一个部分满足给定的正则表达式,这时每一个这样的部分被称为一个匹配。 There may be more than one part of the string to meet the given regular expression, then each such portion is called a match. 匹配在本文里可以包括三种含义:一种是形容词性的,比如说一个字符串匹配一个表达式;一种是动词性的,比如说在字符串里匹配正则表达式;还有一种是名词性的,就是刚刚说到的&字符串中满足给定的正则表达式的一部分&。 Matching in this paper may include three meanings: one is the adjective, for example, a string ma a verb, for example, in the string matches th there is a noun nature, is just when it comes to the ®ular part of the string given expression to meet.&
[0074] 以下通过举例对正则表达式的生成规则进行说明。 [0074] the following by way of example to the regular expression generation rule will be explained.
[0075] 假设要查找hi,则可以使用正则表达式hi。 [0075] Suppose you want to find hi, you can use regular expressions hi. 这个正则表达式可以精确匹配这样的字符串:由两个字符组成,前一个字符是h,后一个是i。 This regular expression can precisely match this string: consists of two characters, the first character is h, the latter is i. 在实际中,正则表达式是可以忽略大小写的。 In practice, the regular expression is case-insensitive. 如果很多单词里都包含hi这两个连续的字符,比如him,history,high等等。 If many words are included in hi two consecutive characters, such as him, history, high and so on. 用hi来查找的话,这此单词里面的hi也会被找出来。 Use hi to find it, there's word that this will be to find out hi. 如果要精确地查找hi这个单词的话, 则应该使用\bhi\b。 If you want to find the exact word hi, then you should use \ bhi \ b.
[0076] 其中,\b是正则表达式的一个元字符,它代表着单词的开头或结尾,也就是单词的分界处。 [0076] where, \ b is a meta-character regular expressions, it represents the beginning or end of a word, that is a word boundary. 虽然通常英文的单词是由空格或标点符号或换行来分隔的,但是\b并不匹配这些单词分隔符中的任何一个,它只匹配一个位置。 Although the English word is usually by spaces or punctuation, or line breaks to separate, but the \ b does not match these word separators in any one match only one location.
[0077] 假如要找的是hi后面不远处跟着一个Lucy,则应该用\bhi\b. *\bLucy\b。 [0077] If you are looking for is not far behind followed by a hi Lucy, you should use \ bhi \ b. * \ BLucy \ b. 其中,.是另一个元字符,匹配除了换行符以外的任意字符。 Which, it is another metacharacter match any character except newline. *同样是元字符,它代表的是数量一一即指定*前边的内容可以连续重复出现任意次以使整个表达式得到匹配。 * The same meta-character, it represents the number of front-that specified * content can be continuously repeated any number of times so that the entire expression is matched. 现在\bhi\b. *\bLucy\b的意思就很明显了:先是一个单词hi,然后是任意个任意字符(但不能是换行),最后是Lucy这个单词。 Now \ bhi \ b * \ bLucy \ b The meaning is quite clear: First, a word hi, then any number of any character (but not a newline), the last word is Lucy.
[0078] 基于上述说明,下文将以在用户界面(UI MainFrame)、界面元素(UIElement)和系统应用接口(Application Interface)三类系统资源中进行角色权限定义为例具体说明。 [0078] Based on the above explanation, the following will be in the user interface (UI MainFrame), interface elements (UIElement) and system application interface (Application Interface) three types of system resources were defined role permissions specifically described as an example.
[0079] 所述用户界面可以为用户操作的主界面,例如,Web应用程序中的某个网页;或者,应用程序中点击某个菜单项出现的主界面等。 [0079] The user interface can be operated as the main user interface, for example, Web applications in a W or application click a menu item appears in the main interface. 因而对于用户界面访问的权限控制,可以理解为窗口级别的访问控制。 Thus for permission to access the user interface control, it can be understood as window-level access control. 所述界面元素可以为用户界面的子节点,例如,网页上的按钮、文本框,或者,应用程序的菜单项等。 The interface element can be a child node of the user interface, such as buttons, text boxes, or menu items and other applications on the page. 因而对于用户界面访问的权限控制,又可以理解成是按钮级别的访问控制。 Thus for permission to access the user interface control, and can be understood as a button-level access control. 所述系统应用接口可以为系统的功能接口。 The system application interface for functionality of the system interface.
[0080] 需要说明的是,本发明对于每个资源(受保护的资源)都应当指定唯一的资源代码或资源代码规则,所述资源代码优选由字符串组成,即由字母、数字和/或其它字符(如下划线)组成,用以在进行权限校验的时候,可以采用当前被访问资源的资源代码与权限定义文件中指定当前用户所处角色的资源访问权限的正则表达式进行匹配。 [0080] It should be noted that the present invention should be assigned a unique source code or source code rules for each resource (protected resource), the source code is preferably made of string, namely letters, numbers and / or other characters (such as underscore) for permission during the time check, the source code can be used with the permission to access the resource definition file currently specified in the current user access to resources in which the role of regular expression matching.
[0081] 例如,假设Web网站应用程序的受保护资源是某个网页,则可以利用这个网页的url来作为资源代码;假设桌面端信息系统的受保护资源是某个按钮或某个菜单项,则可以利用这个按钮的应用程序资源ID来作为资源代码。 [0081] For example, suppose a protected resource Web site is a web application, you can use this page
Suppose desktop protected resources information system is a button or a menu item, you can use the application resource ID of this button as the source code.
[0082] 优选的,所述权限定义文件可以为XML配置文件。 [0082] Preferably, the definition file permissions for XML configuration files.
[0083] 在这种情况下,为每个角色指定一个正则表达式,来定义该角色的资源访问权限的格式可以如下所示: [0083] In this case, specify a regular expression for each role to define access to resources that role can be formatted as follows:
[0084] 〈role name =' 角色名' type =& 资源类型& patttern =' 正则表达式' & [0084] &role name = 'character name' type = &resource type& patttern = 'regex'&
[0085] -、采用正则表达式对用户界面(UI MainFrame)的访问策略定义实例: [0085] -, the use of regular expressions for the user interface (UI MainFrame) access policy definition instance:
[0086] 假设应用情境为一个网站(www. alibaba. com)系统对其url进行保护,用户管理的网页都放在网站的user manage目录下, [0086] scenarios assume the application of a website (www. Alibaba. Com) system to protect its url, user management pages are placed in the site's user manage directory
[0087] 1、对用户管理员(userAdmin)的权限定义如下: [0087] 1, access to the user administrator (userAdmin) is defined as follows:
[0088] 〈 ! [0088] &! -用户管理员具有所有数据管理权限一& - The user has all the data management administrator privileges a&
[0089] 〈role name =, userAdmin, type = &url&patttern =, http:// www. alibaba. com/user_manage/*.htm, & [0089] &role name =, userAdmin, type = &url& patttern =, http:... // Www alibaba com / user_manage / * htm,&
[0090] 2、对数据录入员(userlnputer)的权限定义如下: [0090] 2, permissions define the data entry clerk (userlnputer) as follows:
[0091] 〈! [0091] &! _数据录入员具有新增、修改和删除数据的权限,不具有查看用户列表的权限一& _ Data entry clerks have to add, modify, and delete permissions to the data, does not have permission to view a list of users&
[0092] 〈role name =, userlnputer' type =& url''patttern =,http://www. alibaba. com/user_manage/[add I edit I del]氺· htm' & [0092] &role name =, userlnputer 'type = &url''patttern =, http:.. // Www alibaba com / user_manage / [add I edit I del] Shui · htm'&
[0093] 可以看出,该xml文件片断中pattern属性部分的内容,就是定义该系统角色的访问网站URL的正则表达式。 [0093] As can be seen, the contents of the xml file fragment pattern attribute part, it is to define a positive role in the system to access the website URL of expression.
[0094] 在这种情况下,当包含相应角色的用户访问该网站时,只有匹配相应正则表达式的url访问,才允许访问。 [0094] In this case, when the user contains the appropriate role of access to the site, only match url to access the corresponding regular expression before allowing access.
[0095] 二、采用正则表达式对界面元素(UI Element)的访问策略定义实例: [0095] Second, the use of regular expressions to interface elements (UI Element) access policy definition instance:
[0096] 假设一个企业进销存系统采购模块的用户界面中所有菜单项名称都以BUY_MEMU 作为前缀,所有按钮名称都以BUY_BUTT0N作为前缀,所有文本框都以BUY_TEXT作为前缀;销售模块的用户界面中所有菜单项名称都以SALE_MENU作为前缀,所有按钮名称都以SALE_BUTT0N作为前缀,所有文本框都以SALE_TEXT作为前缀, [0096] The user interface assume an enterprise Invoicing system procurement module all the menu items are in BUY_MEMU name as a prefix, all the buttons are in BUY_BUTT0N name as a prefix, all text boxes are in BUY_TEXT user interface module sales All menu items are in SALE_MENU name as a prefix, all the buttons are in SALE_BUTT0N name as a prefix, all text boxes are in SALE_TEXT as a prefix,
[0097] 1、对采购单据录入员(buyerInputer)的权限定义如下: [0097] 1, permissions define the procurement documents Entry Clerk (buyerInputer) as follows:
[0098] 〈! [0098] &! _采购单据录入员,具有录入采购单据的权限,不具有修改、删除、查看采购单据的权限一& _ Purchasing documents entry clerks, purchasing documents have permission to enter without having to modify, delete, view purchasing documents of permission a&
[0099] 〈role name =' buyerlnputer' type =&ui_element&patttern =' BUY_*_ADD' & [0099] &role name = 'buyerlnputer' type = &ui_element& patttern = 'BUY _ * _ ADD'&
[0100] 2、对采购员(buyer)的权限定义如下: [0,100] 2, of the buyer (buyer) privileges defined as follows:
[0101] 〈! [0101] &! --采购员,具有访问采购管理界面、点击或输入采购管理界面的按钮、菜单、 文本框的权限--& - Buyer, has access to procurement management interface, click permissions or input procurement management interface buttons, menus, text boxes -&
[0102] 〈role name =' buyer' type =&ui_element&patttern =' BUY_*' & [0102] &role name = 'buyer' type = &ui_element& patttern = 'BUY_ *'&
[0103] 3、对销售员(seller)的权限定义如下: [0103] 3, permissions definition of salesman (seller) is as follows:
[0104] 〈! [0104] &! --销售员,具有访问销售管理界面,点击或输入采购管理界面的按钮、菜单、 文本框的权限一& - Salesman, have access to sales management interface, click or enter procurement management interface buttons, menus, text boxes permissions a&
[0105] 〈role name =' seller' type =&ui_element&patttern =' SELL*' & [0105] &role name = 'seller' type = &ui_element& patttern = 'SELL *'&
[0106] 三、采用正则表达式对系统应用接口(Application Interface)的访问策略定义实例: [0106] Third, the use of regular expressions for system application interface (Application Interface) access policy definition instance:
[0107] 对管理员(admin)的权限定义如下: [0107] The administrator (admin) privileges are defined as follows:
[0108] 〈! [0108] &! -admin 具有调用com. test, website, admin. ManageUser 这个接口的所有开头字符串为add,或edit,或del方法的权限一& -admin have invoked com. test, website, admin. ManageUser this all begin with the string interface is add, or edit, or method of a permission del&
[0109] 〈role name = &admin& type =''interface& patttern = ^com. test, website. admin. ManageUser. [add I edit I del]氺& & [0109] &role name = &admin& type = '' interface &patttern = ^ com. Test, website. Admin. ManageUser. [Add I edit I del] Shui&&
[0110] 参考图2,示出了本发明的一种用户权限分配装置实施例的结构框图,用户权限分配装置20可以包括: Structure diagram [0110] Referring to Figure 2, shows a user permissions dispensing device of the present invention embodiment, user rights assignment device 20 may include:
[0111] 用户角色定义模块201,用于定义用户的角色,并生成用户角色映射关系表; [0111] The user role definition module 201, is used to define the user's role and generate use
[0112] 角色权限定义模块202,用于以正则表达式定义所述角色的资源访问权限,并记录为XML文件,所述资源由唯一的资源代码进行标识。 [0112] role permissions definition module 202 is used in regular expressions to define the role of access to resources, and recorded as XML files, the resource identified by a unique code to identify resources.
[0113] 优选的,所述用户角色映射关系表包括用户名字段、密码字段和角色字段。 [0113] Preferably, the user role mapping table includes the user name field, password field and the role of field.
[0114] 优选的,所述权限定义文件为XML配置文件。 [0114] Preferably, the permissions definition file as XML configuration files.
[0115] 对于本实施例而言,由于其基本相应于图1所示的方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。 [0115] For the present embodiment, since the basic corresponding to the method shown in Figure 1 embodiment, the description is relatively simple, some embodiments of the method See instructions at the can.
[0116] 参考图3,示出了本发明的一种用户权限控制方法实施例的流程图,可以包括以下步骤: [0116] Referring to Figure 3, shows a flow chart of a user rights control method of the present invention embodiments may include the following steps:
[0117] 步骤301、从预置的用户角色映射关系表中获取相应用户的角色; [0117] In step 301, to obtain the user's role from the User Role mapping
[0118] 步骤302、提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; [01] Step 302, extracting the role of access to resources, the access to resources defined using regular expressions, and recorded in the file permissions define the resource by a unique code t
[0119] 步骤303、拦截所述用户提交的资源访问请求,获得所述资源的资源代码; [0119] In step 303, the interceptor resource access requests submitted by the user, access to source
[0120] 步骤304、将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则执行步骤305 ;若匹配失败,则执行步骤306 ; [0120] Step 304, the resource access the source code of the character to match, if the match is successful, it proceeds to step 305; if the match fails, step 306;
[0121] 步骤305、向用户返回所述资源; [0121] step 305, the user is retu
[0122] 步骤306、拒绝所述用户的资源访问请求。 [0122] Step 306, the denial of the resource access request of the user.
[0123] 所述用户角色映射关系表可以用于记录用户与角色的映射关系。 [0123] The user role mapping table can be used to record the mapping between users and roles.
[0124] 例如,假设用户信息如下表所示: [0124] For example, assume that the user information is shown in the following table:
[0125] [0125]
[0126] 角色信息如下表所示: [0,126] role information in the following table:
[0127] [0127]
[0128] 定义相应用户的角色,生成用户角色映射关系表为: [0128] defines the role of the user, user role mapping table is generated as follows:
[0129] [0129]
[0130] 可以理解的是,在本发明中,用户是权限的拥有者。 [0130] will be understood that, in the present invention, the user is the owner of rights. 角色是权限分配的单位与载体,角色还可以通过继承关系支持分级的权限实现。 Role permissions assigned units and carrier, the role can also be supported by the inheritance hierarchy of permissions to achieve. 例如,科长角色同时具有科长角色、科内不同业务人员角色。 For example, both the role of chief chief role, Branch business people in different roles.
[0131] 在实际中,用户的账号、密码等基本信息,以及用户被定义的角色都可以存放在一个用户角色映射关系表中,因而,优选的,所述用户角色映射关系表可以包括用户名字段、 密码字段和角色字段。 [0,131] In practice, the user's account, password, and other basic information, and user-defined roles are stored in a user role mapping between the table, therefore, preferably, the user role mapping between the table may include user name section, Password field, and roles field.
[0132] 为提高用户角色映射关系的读取速度,本实施例还可以包括步骤: [0132] In order to improve the reading speed user role mappings, the present embodiment may further include the steps of:
[0133] 将所述用户角色映射关系表读至内存中。 [0133] The role of the user mapping table is read into memory.
[0134] 例如,可以在满足触发条件时(如应用本实施例的系统启动时),将用户角色映射关系表读到内存中的特定区域(如用户池中),以加快用户-角色的映射速度。 (When the system such as the application of the present embodiment is started) [0134] For example, when the trigger conditions are met, the user role mapping table to read specific area of memory (such as user pool), to speed up user - Role Mapping speed.
[0135] 需要说明的是,本发明对于每个资源(受保护的资源)都应当指定唯一的资源代码或资源代码规则,所述资源代码优选由字符串组成,即由字母、数字和/或其它字符(如下划线)组成,用以在进行权限校验的时候,可以采用当前被访问资源的资源代码与权限定义文件中指定当前用户所处角色的资源访问权限的正则表达式进行匹配。 [0135] It should be noted that the present invention should be assigned a unique source code or source code rules for each resource (protected resource), the source code is preferably made of string, namely letters, numbers and / or other characters (such as underscore) for permission during the time check, the source code can be used with the permission to access the resource definition file currently specified in the current user access to resources in which the role of regular expression matching.
[0136] 优选的,本实施例还可以包括步骤: [0136] Preferably, the present embodiment may further comprise the steps of:
[0137] 将当前用户的角色和资源访问权限记录至全局变量中 [0137] roles and resource access privileges of the current user's record to a global variable
[0138] 具体而言,可以在获取到相应用户的角色后,将该角色记录在该用户会话(session)的全局变量中,以便在用户访问资源时进行权限检验;在提取所述角色的资源访问权限后,将表示该权限的正则表达式也记录在所述全局变量中。 [0138] In particular, you can get back to the user's role, the role is recorded in the user session (session) of the global variable, for permission to test when a use the role of resource extraction After the access rights will be a regular expression that is also recorded in the global variable.
[0139] 当用户提交资源访问请求时,如访问某个URL,或点击某个按钮,菜单时,可以通过拦截用户的访问请求,获得用户所请求访问资源的资源代码。 [0139] When the user submits resource access requests, such as access to a URL, or clicking a button, a menu, you can intercept the user's access request, access to the user source code access to the requested resource. 然后从全局变量中读取该用户权限的正则表达式,与用户请求的资源代码进行正则表达式匹配,若匹配成功,则返回被请求的资源,若匹配失败,则拒绝用户的访问请求。 Then read the user permissions from a global variable regex with source code user requests regular expression matching, if the match is successful, it returns the requested resource, if the match fails, the user is denied access requests.
[0140] 在实际中,为实现多种粒度的资源保护,使本发明不仅适用于与B/S架构的网站系统,还适用于C/S架构的桌面应用系统,还可以采用多种不同的拦截方法来对应不同的粒度、不同类型的资源访问请求。 [0140] In practice, in order to achieve conservation of various size, so that the present invention is applicable not only to the B / S system architecture of the site, but also for C / S architecture of the desktop applications, you can also use a variety of different intercept method to correspond to different size, a different type of resource access requests. 例如,在用户界面、界面元素和系统应用接口三类系统资源中采用的拦截方法如下表所示: For example, the intercept method in the user interface, application interface interface elements and systems used in three types of system resources as follows:
[0141] [0141]
[0142] 这种情况下,用户在配置文件中为角色指定访问资源的权限时,需要同时指定保护粒度和资源类型,以提示采用哪种拦截方法来监听并拦截用户的资源访问请求。 [0142] In this case, when the user access to the resource specified in the configuration file for a role, you need to specify the size and type of resource protection, to prompt which intercept method employed to monitor and intercept user requests access to resources. 在进行正则表达式匹配时,可以默认采用JAVA语言的正则表达式匹配包来进行正则表达式的匹配校验。 During regular expression matching, you can use the default language of JAVA regular expression matching package for regular expression matching check.
[0143] 优选的,在用户的访问请求被拒绝后,可以向用户返回出错界面或出错信息,以提示用户访问被拒绝。 [0143] Preferably, in the user's access request is denied, you can return an error to the user interface or an error message to prompt the user access is denied.
[0144] 可以理解的是,对于本方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行,例如,步骤301和302,以及步骤303可以同时进行;也可以先执行步骤303,再执行步骤301和302 ;其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。 [0144] can be understood that the embodiment of the present method, for simple description, so it is expressed as a combination of a series of actions, but the skilled person should be aware, the present invention is not limited to the described sequence of actions , since according to the present invention, some steps may be employed sequentially or simultaneously other, e.g., steps 301 and 302, and step 303 may be perf step 303 to be executed first, and then perform steps 301 and 302; secondly, those skilled in the staff should also be aware of the embodiments described in the specification are belong to the preferred embodiment, the operation involved and modules of the present invention is not necessarily necessary.
[0145] 参考图4,示出了本发明的一种用户权限控制装置实施例的结构框图,可以包括: [0145] Referring to Figure 4, shows a block diagram of a user permissions control apparatus of the present invention embodiments may include:
[0146] 角色获取模块401,用于从预置的用户角色映射关系表中获取相应用户的角色; [0146] role acquisition module 401 for user roles from the preset mapping table to obtain the corresponding user'
[0147] 权限获取模块402,用于提取所述角色的资源访问权限,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; [0147] privilege acquisition module 402 for extracting the role of access to resources, the access to resources defined using a regular expression, and recorded in the file permissions define the resource by a unique code t
[0148] 访问资源确定模块403,用于拦截所述用户提交的资源访问请求,获得所述资源的资源代码; [0148] access to the resource determination module 403 for access to resources to intercept the user submits a request to obtain the s
[0149] 匹配模块404,用于将所述资源代码与所述角色的资源访问权限进行匹配,若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求。 [0149] matching module 404 for access to resources and the role of the source code to match, if the match is successful, then returned to the
if the match fails, the user is denied access to the resource request .
[0150] 优选的,本实施例还可以包括内存写入模块,用于将所述用户角色映射关系表读至内存中。 [0150] Preferably, the present embodiment may also include a memory write modules for the user role mapping table is read into memory.
[0151] 优选的,本实施例还可以包括共享记录模块,用于将当前用户的角色和资源访问权限记录至全局变量中。 [0151] Preferably, the present embodiment may also include a shared recording module for role and resource access privileges of the current user's record to the global variable. 在这种情况下,所述匹配模块404可以包括以下子模块: In this case, the matching module 404 may include the following sub-modules:
[0152] 读取子模块,用于从所述全局变量中读取所述资源访问权限的正则表达式; [0152] Read sub-module for reading the access to resources from the global variable in
[0153] 表达式匹配子模块,用于将所述正则表达式与所述资源代码进行正则表达式匹配。 [0153] expression matching sub module for the regular expression with the resource code regular expression matching.
[0154] 参考图5,示出了应用图4所示的优选实施例进行用户权限控制的流程图,可以包括以下步骤: [0154] Referring to Figure 5, shows a preferred application shown in the flowchart in Figure 4 Example user access control, and may include the following steps:
[0155] 步骤501、内存写入模块将所述用户角色映射关系表读至内存中; [0155] Step 501, the memory module will write the user role mapping
[0156] 步骤502、角色获取模块从所述用户角色映射关系表中获取相应用户的角色; [0,156] Step 502, the role of obtaining module the user role mapping from relational table to obtain the corr
[0157] 如在应用系统中,用户登录应用系统后,即把用户信息传递给角色获取模块,角色获取模块根据该用户信息从用户角色映射关系表中查找到相应用户的角色。 [0157] As in the application system, user login application system, namely the transfer of user information acquisition module to roles, role acquisition module to find information from the user based on the user role mapping relational tables to the user's role.
[0158] 步骤503、共享记录模块将当前用户的角色记录至全局变量中; [0158] Step 503, sharing the logging module to record the current user's role in
[0159] 步骤504、权限获取模块提取所述角色的资源访问权限; [0159] Step 504, the permission obtaining module extracts the rol
[0160] 其中,所述资源访问权限采用正则表达式定义,并记录在权限定义文件中,所述资源由唯一的资源代码进行标识; [0160] wherein resource access use regular expressions to define and record the permissions definition file, the resource identified by a unique code t
[0161] 步骤505、共享记录模块将当前用户角色的资源访问权限记录至全局变量中; [0161] Step 505, the recording module shared resource access privileges of the current user roles record to
[0162] 步骤506、访问资源确定模块拦截所述用户提交的资源访问请求,获得所述资源的资源代码; [0162] Step 506, access to resources determine access to resources module to intercept the user submits a request to obtain the s
[0163] 步骤507、匹配模块将所述资源代码与所述角色的资源访问权限进行匹配,具体可以通过以下子步骤完成: [0163] Step 507, the resource matching module access to the source code of the character to match, particularly through the following sub-steps:
[0164] 子步骤S1、读取子模块从所述全局变量中读取所述资源访问权限的正则表达式; [0164] sub-step S1, read the sub-module reads the access to resources from the global variable in
[0165] 子步骤S2、表达式匹配子模块将所述正则表达式与所述资源代码进行正则表达式匹配。 [0165] sub-step S2, the expression matches the regular expression sub-module and the resources of the regular expression matching code.
[0166] 步骤508、若匹配成功,则向用户返回所述资源;若匹配失败,则拒绝所述用户的资源访问请求。 [0166] Step 508, if the match is successful, the resource is
if the match fails, the request is denied access to the resource users.
[0167] 为使本领域技术人员更好地理解本发明,以下将本发明实施例与最接近的现有技术Tomcat Realm进行对比说明: [0167] to enable those skilled in the better understanding of the present invention, the following embodiments of the invention and the closest prior art comparison Tomcat Realm Description:
[0168] (1)依赖关系的区别: [0168] (1) The difference between the relationship of dependency:
[0169] Tomcat Realm必须在Web服务器软件Tomcat的配置文件中定义,因此它只支持基于B/S架构的web应用程序,并且严重依赖与Web服务器软件Tomcat,只能应用与部署在Tomcat的web应用程序中。 [0169] Tomcat Realm Web server software must be defined in the Tomcat configuration file, so it only supports B / S architecture of web applications, and rely heavily on the Web server software Tomcat, can only be applied and deployed in the Tomcat web application program. 其他的Web服务器软件如Weblogic,Websphere等,也有类似Tomcat的Realm组件,也有与Tomcat Realm相同的问题,即只支持部署在自己web服务器软件中的Web应用程序。 Other Web server software such as Weblogic, Websphere, etc., also have similar components of Tomcat Realm, there are the same problems with the Tomcat Realm, which only supports the deployment of web server software in their Web applications.
[0170] 而本发明实施例与Web应用服务器无关,有自己独立的配置文件,不依赖Web应用服务器,因此,不仅支持基于B/S架构的软件,业务支持C/S架构的软件。 [0170] The embodiment of the invention has nothing to do with the Web application server has its own separate configuration file, does not depend on a Web application server, therefore, not only supports B / S software architecture, business support C / S architecture software.
[0171] (2)权限粒度的区别: [0171] (2) The authority size difference:
[0172] Tomcat Realm只支持针对Web应用URL的权限控制。 [0172] Tomcat Realm supports only the permissions for Web application URL control.
[0173] 而本发明实施例支持用户界面(如URL,c/s客户端程序主界面),界面元素,底层接口三种粒度的权限控制,应用范围比较广。 [0173] The embodiments of the present invention supports user interfaces (such as URL, c / s client program's main interface), interface elements, three low-level interface granularity access control, and broad range of applications.
[0174] (3)定义方式的区别: [0174] (3) defines the difference between the way:
[0175] Tomcat Realm的权限定义不支持正则表达式,它在定义某个角色可以访问哪些URL时,只有两种方式URL列表和星号通配符,例如, [0175] permissions define Tomcat Realm does not support regular expressions, it is the definition of a role which can be accessed URL, URL list and the only two ways asterisk wildcard, for example,
[0176] &web-resource-collection& [0176] &web-resource-collection&
[0177] &web-resource-name& [0177] &web-resource-name&
[0178] BOPS editorl Protected Area [0178] BOPS editorl Protected Area
[0179] &/web-resource-name& [0179] &/ web-resource-name&
[0180] &url-pattern&/admin/viewcatelist&/url-pattern& [0180] &url-pattern& / admin / viewcatelist &/ url-pattern&
[0181] &url-pattern&/admin/categoryinf〇&/url-pattern& [0181] &url-pattern& / admin / categoryinf〇 &/ url-pattern&
[0182] &url-pattern&/admin/modifycategory&/url-pattern& [0182] &url-pattern& / admin / modifycategory &/ url-pattern&
[0183] &url-pattern&/admin/modifycatestatus&/url-pattern& [0183] &url-pattern& / admin / modifycatestatus &/ url-pattern&
[0184] &url-pattern&/admin/deletecategory&/url-pattern& [0184] &url-pattern& / admin / deletecategory &/ url-pattern&
[0185] &url-pattern&/admin/movecategory&/url-pattern& [0185] &url-pattern& / admin / movecategory &/ url-pattern&
[0186] &url-pattern&/admin/addcategory&/url-pattern& [0186] &url-pattern& / admin / addcategory &/ url-pattern&
[0187] 〈/web-resource-coIlection〉 [0187] &/ web-resource-coIlection&
[0188] 或者,用*号标明某个目录下的所有ur [0188] Alternatively, all ur marked with an asterisk in a directory
[0189] 〈web-resource-collection〉 [0189] &web-resource-collection&
[0190] &web-resource-name& [0190] &web-resource-name&
[0191] BOPS admin Protected Area [0191] BOPS admin Protected Area
[0192] &/web-resource-name& [0192] &/ web-resource-name&
[0193] 〈ur l_pattern&/adminA〈/ur l_pattern& [0193] &ur l_pattern& / adminA &/ ur l_pattern&
[0194] 〈/web-resource-coIlection〉 [0194] &/ web-resource-coIlection&
[0195] 可以看出,Tomcat Realm的权限定义是比较单一的D [0195] As can be seen, permissions define Tomcat Realm is relatively simple D
[0196] 而本发明实施例支持复杂的正则表达式,因此具备更强的灵活性,可以定义及其复杂的访问逻辑,例如,要定义管理员(admin)角色的权限为,可以访问admin目录下的所有以add,edit,del开头的url,但不能访问以preview开头的url,相应的XML片段示意为: [0196] The embodiments of the present invention to support complex regular expressions, and therefore have more flexibility, you can define its complex access logic, for example, to define the administrator (admin) role permissions, can access the admin directory All to add, edit, del under the beginning of the url, but can not access to the url, XML fragment corresponding schematic for the preview at the beginning:
[0197] 〈role name =, userInputer' type =&urI''patttern =,http://www. alibaba. com/user_manage/[add I edit I del I'preview]*· htm' & [0197] &role name =, userInputer 'type = &urI''patttern =, http:.. // Www alibaba com / user_manage / [add I edit I del I'preview] * · htm'&
[0198] 综上所述,可以概括得出本发明的优点为: [0198] In summary, the advantages of the present invention can be summarized drawn as follows:
[0199] 本发明通过采用正则表达式来定义用户角色的资源访问权限,对用户角色的权限定义描述性强,非常灵活,并能支持多种粒度的访问控制。 [0199] The present invention is a regular expression to define user access to resources through the use of roles, permissions user role definitions describe strong, very flexible, and can support a variety of granular access control. 如粗粒度(表示类别级,即仅考虑对象的类别(the type of object),不考虑对象的某个特定实例。比如,用户管理中,仓ij 建、删除,对所有的用户都一视同仁,并不区分操作的具体对象实例)的窗口级别用户界面的访问控制、细粒度(表示实例级,即需要考虑具体对象的实例(the instance ofobject), 当然,细粒度是在考虑粗粒度的对象类别之后才再考虑特定实例。比如,合同管理中,列表、删除,需要区分该合同实例是否为当前用户所创建)的按钮级别界面元素的访问控制, 以及系统级别的底层功能模块的访问控制等。 Such as coarse-grained (represented category level, that is, considering only the object category (the type of object), without regard to a particular instance of the object. For example, user management, warehouse ij build, delete, all users are treated equally, and After the operation does not distinguish between the specific object instance) of the window-level user interface, access control, fine-grained (for instance level, the need to consider the specific instance of the object (the instance ofobject), of course, is fine-grained coarse-grained object classes consideration only then consider specific instances, such as contract management, list, delete, access control need to distinguish whether an instance of the contract created for the user currently) button level interface elements, as well as the underlying system-level access control and other functional modules. 此外,只需要对正则表达式进行修改即可对系统权限进行维护或修改,操作方便;再者,本发明中的受保护的资源采用资源代码唯一标识,采用当前被请求资源的资源代码与当前用户角色的被授权访问资源的正则表达式,即可匹配校验用户是否具备访问权限,简而言之即通过字符串的匹配即可实现校验操作,操作效率高,并能有效节约系统资源;此外,本发明适用于不同的系统架构中,例如,不仅可以用于保护网站的URL,B/S、C/S应用软件的用户界面,还可以用于保护用户界面中的页面元素,如菜单项,按钮,文本框等界面元素等,应用范围十分广泛,不受系统架构模式的限制; 并且,在实际中将本发明与应用系统集成时,对应用系统的修改非常小,因而应用成本是很低的。 In addition, only regular expressions can be modified to maintain or modify system permissions, Furthermore, the present invention is protected resource use source code that uniquely identifies, using source code resources currently requested and current user roles are authorized to access the resources of a regular expression, you can check whether the user matches have access, in a nutshell that is the checksum operation can be realized by matching string, high operating efficiency, and can effectively sa In addition, the present invention is applicable to different system architectures, for example, not only can be used to protect the site's URL, B / S, C / S application software user interface can also be used to protect the user interface elements on the page, such as menu items, buttons, text boxes and other interface elements, etc., wide range of applications, not limited by the syste and, at the time of the actual application in the present invention relates to systems integration, modification of the application system is very small, and thus the application costs It is very low.
[0200] 需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。 [0200] It should be noted that the present specification, various embodiments are described by way of using progressive, different from all the other embodiments of the example highlights of each of the embodiments, the same or similar portions between the various embodiments We can see each other. 对于装置类实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。 For device class of embodiments, since it is substantially similar to the method of Example, so described is relatively simple, part of the Department-related cases see the method of description can be.
[0201] 以上对本发明所提供的一种用户权限分配的方法和装置,以及,一种用户权限控制的方法和装置进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。 [0201] A method and apparatus described above for user rights assignments provided by the present invention, as well as, a method and apparatus for controlling user rights are described in detail in this article, a case of the application of the principles and specific embodiments of the present invention will be expounded above described embodiments only be used to help understand the method and its core i the same time, those of ordinary skill in the art, according to the idea of the present invention, in the specific embodiments and applications are subject to change place, summary, contents of this manual should not be construed as limiting the present invention.
*北京邮电大学An access control method based on non-grade inter-role mapping *国际商业机器公司Method for requesting service source positioning character *US Title not availableInternational Classification, C06PublicationC10Request of examination as to s
