CN115150831B

CN115150831B - Method, device, server and medium for processing network access request

Info

Publication number: CN115150831B
Application number: CN202210689487.3A
Authority: CN
Inventors: 刘成伟
Original assignee: Alibaba Cloud Computing Ltd
Current assignee: Alibaba Cloud Computing Ltd
Priority date: 2022-06-16
Filing date: 2022-06-16
Publication date: 2025-01-28
Anticipated expiration: 2042-06-16
Also published as: CN115150831A

Abstract

One or more embodiments of the present application provide a method, an apparatus, a server, and a medium for processing a network access request. The application provides the network access certificate comprising the identity source identification of the target account, so that the identity source identification of the target account can be obtained from the network access certificate after the network access request of the target account is received and under the condition that the validity verification of the network access certificate carried by the network access request is passed, and the identity source identification of the target account is unique in the target application program, thereby obtaining the account state of the target account based on the identity source identification, further processing the network access request based on the obtained account state, and further realizing the network access control based on the account state.

Description

Network access request processing method, device, server and medium

Technical Field

One or more embodiments of the present disclosure relate to the field of communications technologies, and in particular, to a method, an apparatus, a server, and a medium for processing a network access request.

Background

Most enterprise networks need to process massive network access requests every day, manage access to various office terminals including personal computers, notebooks, mobile phones and the like, in this case, network security construction work becomes critical, and if the network security construction work is not perfect enough, potential safety hazards are easily generated. Network admission control is an important link in constructing a safer and more stable enterprise network environment as a first step in enterprise network security management.

In the related art, when performing network access control, an 802.1x protocol is mainly used to limit access of an unauthorized user to an enterprise network. The 802.1x protocol may authenticate a user connected to the enterprise network and send an access certificate to the authenticated user so that a subsequent user may gain access to the enterprise network through the access certificate.

The validity period of the network access certificate sent in the above process is typically several years, and even if the incumbent status of the user changes (for example, off-duty, frozen, on-duty, etc.), the user can still use the network access certificate to access the enterprise network as long as the network access certificate held by the user is still within the validity period, which brings great potential safety hazard to enterprise network management. Therefore, there is a need for a method for processing an access request to implement network admission control of an enterprise network.

Disclosure of Invention

In view of this, one or more embodiments of the present disclosure provide a method, an apparatus, a server, and a medium for processing a network access request

In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:

According to a first aspect of one or more embodiments of the present disclosure, a method for processing a network access request is provided, and the method is applied to a server, and includes:

Responding to a network access request of a target account, and checking the validity of a network access certificate carried by the network access request;

Under the condition that the validity of the access certificate passes, acquiring an identity source identifier with uniqueness of the target account number in the target application program from the access certificate;

acquiring an account state of a target account based on the identity source identifier;

and processing the network access request based on the account number state.

In some embodiments, the identity source identifier is obtained by setting a key to encrypt an account identifier of the target account and an institution identifier of an institution to which the target account belongs;

Based on the identity source identifier, acquiring the account status of the target account includes:

Decrypting the identity source identifier by setting a private key to obtain an account identifier of the target account and an institution identifier of an institution to which the target account belongs;

based on the account identification, acquiring the account status of the target account from the corresponding data storage position of the mechanism identification in the server, wherein the corresponding data storage positions of different mechanism identifications in the server are different.

In some embodiments, the network access request is processed based on account status, including any of the following:

responding to the network access request under the condition that the account status indicates that the target account is in a set state;

And rejecting the network access request under the condition that the account status indicates that the target account is in a non-setting state.

In some embodiments, before the network access request is received and the validity of the network access certificate carried by the network access request is checked, the method further includes:

Receiving a login request of a target account, wherein the login request carries first account information;

Verifying the legitimacy of the target account based on the first account information carried by the login request;

And allowing the target account to log in under the condition that the validity of the target account passes.

In some embodiments, after allowing the target account to log in if the validity of the target account passes, the method further includes:

under the condition that the target account is logged in for the first time, responding to a received certificate acquisition request of the target account, acquiring an identity source identifier based on second account information carried by the certificate acquisition request, and adding the identity source identifier into an access certificate generated for the target account;

And sending the network access certificate to the terminal equipment corresponding to the target account.

In some embodiments, the second account information includes at least an account identifier of the target account and an institution identifier of an institution to which the target account belongs;

Based on the second account information carried by the certificate acquisition request, acquiring the identity source identifier comprises the following steps:

And based on the set key, carrying out encryption calculation on the account identification and the mechanism identification included in the second account information to obtain an identity source identification.

In some embodiments, based on the second account information carried by the certificate acquisition request, acquiring an identity source identifier, and before adding the identity source identifier to the network access certificate generated for the target account, the method further includes:

and checking the second account information, and executing the step of acquiring an identity source identifier based on the second account information carried by the certificate acquisition request and adding the identity source identifier into the network access certificate generated for the target account under the condition that the second account information passes the check.

In some embodiments, the server includes a first server and at least one second server, where the first server is configured to provide a service for processing an access request for the at least one second server, the second server is a background server corresponding to a target application program used by an organization to which the target account belongs, and the second server is at least configured to store an identity source identifier and an account status of a registered account in the target application program.

According to a second aspect of one or more embodiments of the present disclosure, there is provided a processing apparatus for an access request, applied to a server, the apparatus including:

The verification module is used for responding to the network access request of the target account number and verifying the validity of the network access certificate carried by the network access request;

the identification acquisition module is used for acquiring an identification source identification of the target account number with uniqueness in the target application program from the network access certificate under the condition that the validity of the network access certificate is checked to pass;

the state acquisition module is used for acquiring the account state of the target account based on the identity source identifier;

and the processing module is used for processing the network access request based on the account number state.

The state acquisition module is used for acquiring the account state of the target account based on the identity source identifier, and is used for:

In some embodiments, the processing module, when configured to process the network access request based on the account status, is configured to:

In some embodiments, the apparatus further comprises:

The receiving module is used for receiving a login request of the target account, wherein the login request carries first account information;

The verification module is also used for verifying the validity of the target account based on the first account information carried by the login request;

In some embodiments, the identifier obtaining module is further configured to, in response to receiving a certificate obtaining request of the target account, obtain, based on second account information carried by the certificate obtaining request, an identity source identifier when the target account is logged in for the first time;

The apparatus further comprises:

The adding module is used for adding the identity source identifier into the network access certificate generated for the target account;

And the sending module is used for sending the network access certificate to the terminal equipment corresponding to the target account.

The identification acquisition module is used for acquiring the identity source identification based on the second account information carried by the certificate acquisition request, and is used for:

In some embodiments, the verification module is further configured to verify the second account information, and execute the step of obtaining the identity source identifier based on the second account information carried by the certificate obtaining request, and adding the identity source identifier to the network access certificate generated for the target account when the second account information passes the verification.

According to a third aspect of one or more embodiments of the present description, there is provided a server comprising:

A processor;

A memory for storing processor-executable instructions;

The processor executes executable instructions to implement operations performed by the method for processing an access request provided in the first aspect and any embodiment of the first aspect.

According to a fourth aspect of one or more embodiments of the present specification, there is provided a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the operations performed by the method for processing an access request provided in the first aspect and any one of the embodiments of the first aspect.

According to a fifth aspect of one or more embodiments of the present specification, there is provided a computer program product, including a computer program, which when executed by a processor implements the operations performed by the method for processing an access request provided in the first aspect and any one of the embodiments of the first aspect.

The application provides the network access certificate comprising the identity source identification of the target account, so that the identity source identification of the target account can be obtained from the network access certificate after the network access request of the target account is received and under the condition that the validity verification of the network access certificate carried by the network access request is passed, and the identity source identification of the target account is unique in the target application program, thereby obtaining the account state of the target account based on the identity source identification, further processing the network access request based on the obtained account state, and further realizing the network access control based on the account state.

Drawings

Fig. 1 is a schematic diagram of an implementation environment of a method for processing an access request according to an exemplary embodiment.

Fig. 2 is a schematic diagram of an implementation environment of another method for processing a network access request according to an exemplary embodiment.

Fig. 3 is a flow chart illustrating a method of processing an access request in accordance with an exemplary embodiment.

FIG. 4 is a flow chart illustrating a login process according to an exemplary embodiment.

Fig. 5 is a flow chart of a login procedure provided by an exemplary embodiment.

FIG. 6 is a flowchart illustrating an example embodiment of issuing a network credential.

Fig. 7 is a flow chart illustrating an exemplary embodiment of a network entry credential issuance process.

Fig. 8 is a flow chart of a certificate issuing process provided in an exemplary embodiment.

Figure 9 is a flow chart illustrating a network admission control process in accordance with an exemplary embodiment.

Figure 10 is a flow chart illustrating a network admission control process in accordance with an exemplary embodiment.

Figure 11 is a flow chart of a network admission control process provided by an exemplary embodiment.

Fig. 12 is a flow chart illustrating a method of processing an access request in accordance with an exemplary embodiment.

Fig. 13 is a block diagram of an apparatus for processing an access request according to an exemplary embodiment.

Fig. 14 is a schematic block diagram of a server provided in an exemplary embodiment.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.

It should be noted that in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, a single step described in this specification may be described as being split into multiple steps in other embodiments, while multiple steps described in this specification may be described as being combined into a single step in other embodiments.

First, some technical terms related to the present application will be described:

Secure access service edge (Secure ACCESS SERVICE EDGE, SASE), a framework of software and hardware tools that can ensure Secure access to cloud and network resources by applications, services, users and machines, typically provided in the form of cloud services.

Public key infrastructure (Public Key Infrastructure, PKI) a collection of hardware, software, personnel, policies and procedures for implementing functions such as generation, management, storage, distribution and revocation of keys and certificates based on public key cryptosystem.

An online certificate status protocol (Online Certificate Status Protocol, OCSP) is used to verify the validity of the secure socket protocol (Secure Socket Layer, SSL) certificate to ensure that the SSL certificate is not revoked.

Digital certificate-an electronic file that uniquely identifies people and resources over the Internet (Internet), SSL certificate is one type of digital certificate.

Extensible authentication protocol-transport layer security protocol (Extensible Authentication Protocol-Transport Layer Security, EAP-TLS) TLS is an authentication method in the EAP framework, using mainly X509 digital certificates for network access authentication.

And the identity source is used for storing upstream core data of the account information. For example, the target application used in the office process is office software, such as various types of instant messaging applications, lightweight Directory access protocol (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL, LDAP), active Directory (AD), and the like.

And the identity source identifier is an encrypted character string which is stored in the SASE system and consists of an enterprise identifier and an account identifier in the network access certificate.

The application provides a processing method of an access request, which is used for realizing the verification of the account status of an access network (such as an enterprise network), thereby improving the network security. Referring to fig. 1, fig. 1 is a schematic diagram of an implementation environment of a method for processing a network access request according to an exemplary embodiment, and as shown in fig. 1, the implementation environment may include a terminal device 101, a network device 102, and a server 103.

The terminal device 101 may be a plurality of types of terminal devices, for example, the terminal device 101 may be a desktop computer, a notebook computer, a tablet computer, a smart phone, or the like, and the device type and the number of the devices of the terminal device 101 are not limited in the present application. A SASE client may be installed in the terminal device 101, so that a user may log in different types of office software through the SASE client, thereby implementing access to a network through the logged account.

The network device 102 may be an access controller (Access Controller, AC), alternatively, the network device 102 may be another type of network device, which only needs to ensure that the network device 102 can implement network access of the terminal device.

The server 103 may be one server, a plurality of servers, a server cluster, a cloud computing platform, etc., and the application is not limited to the device type and the number of devices of the server 103. Server 103 may include multiple containers (or processing areas) for providing different types of services to users, e.g., server 103 may include two containers, one for providing network entry request processing services and the other for storing the identity source identification and account status of registered accounts in different target applications via different data storage locations. Alternatively, the server may provide more types of services to the user, as the application is not limited in this regard.

For the container for providing the network access request processing service, a plurality of functional modules can be included in the container, and different functional modules can provide different types of services for users, such as certificate issuing service, authentication service and network access service, so that the container can provide a more comprehensive network access request processing service for users through the services provided by the plurality of functional modules.

It should be noted that, the terminal device 101 may communicate with the network device 102 through a wired or wireless connection manner, and the network device 102 may communicate with the server 103 through a wireless connection manner, so that the network access process may be controlled based on the interaction among the terminal device 101, the network device 102 and the server 103 by the processing method of the network access request provided by the present application.

Fig. 1 is only an exemplary implementation environment of the present application, and in more possible implementation manners, the method for processing an access request provided by the present application may also be applied to other types of implementation environments, for example, a server as shown in fig. 1 may include a first server and at least one second server, and fig. 2 is a schematic diagram of an implementation environment of another method for processing an access request provided by an exemplary embodiment, and as shown in fig. 2, the implementation environment may include a terminal device 201, a network device 202, a first server 203, and a second server 204.

The description of the terminal device 201 and the network device 202 may be referred to the relevant content in fig. 1, and will not be repeated here.

The first server 203 may be one server, a plurality of servers, a server cluster, a cloud computing platform, etc., and the application is not limited to the device type and the device number of the first server 203. The first server may be configured to provide network access request processing services to at least one second server, and the first server may include a plurality of functional modules configured to provide different types of services, such as a certificate issuing service, an authentication service, and a network access service, to the user, so as to implement the provision of the network access request processing services through the services provided by the plurality of functional modules. Alternatively, the first server may provide more types of services to the user, which the present application is not limited to.

The second server 204 may be one server, multiple servers, a server cluster, a cloud computing platform, etc., and the application is not limited to the device type and the number of devices of the second server 204. The second server 204 may be a background server corresponding to a target application program used by the institution to which the target account belongs, and according to the difference of the target application program to which the target account belongs (that is, office software to which the target account belongs), different second servers may be corresponding to the second application program, that is, one target application program may correspond to one second server, and different target application programs may correspond to different second servers.

It should be noted that, the terminal device 201 may communicate with the network device 202 through a wired or wireless connection manner, the network device 202 may communicate with the first server 203 through a wireless connection manner, and the first server 203 may communicate with the second server 204 through a wired or wireless connection manner, so that the interaction among the terminal device 201, the network device 202, the first server 203 and the second server 204 may implement control over the network access process through the processing method of the network access request provided by the present application.

Having described the environment in which the present application is implemented, a detailed description of the method for processing an access request provided by the present application follows.

Referring to fig. 3, fig. 3 is a flowchart illustrating a method for processing an access request according to an exemplary embodiment, where the method may be applied to a server, as shown in fig. 3, and the method may include the steps of:

step 301, responding to a network access request of a received target account, and checking validity of a network access certificate carried by the network access request.

Step 302, under the condition that the validity of the access certificate passes, acquiring an identity source identifier of the target account number with uniqueness in the target application program from the access certificate.

Step 303, acquiring an account state of the target account based on the identity source identifier.

And 304, processing the network access request based on the account number state.

Having described the basic implementation of the present application, various alternative implementations of the present application are further described below.

In some embodiments, the target account number may log into the target application (i.e., office software) through a SASE client in the terminal device, so that a network access request is initiated through the SASE client, so that the terminal device may send the network access request carrying the network access certificate to the server to achieve access to the network. The server may respond to the network access request of the target account number by checking the validity of the network access certificate carried by the network access request in step 301.

In one possible implementation, before step 301, the server may implement the login of the target account by:

Step one, receiving a login request of a target account, wherein the login request carries first account information.

Optionally, the terminal device may display a login interface of the SASE client in the visual interface, the user may input first account information in the login interface, the terminal device obtains the first account information input by the user in response to an input operation of the user, so as to generate a login request based on the obtained first account information, and then send the generated login request to the server, so that the server may receive the login request carrying the first account information.

The first account information may include a target account and a password input by the user, optionally, the first account information may also include other types of information, and the specific content included in the first account information is not limited in the present application.

Alternatively, when the terminal device sends a login request to the server, the login request may be sent to a network device (such as an access controller, etc.), and the network device sends the login request to the server, so that the server may receive the login request from the terminal device.

And secondly, verifying the legitimacy of the target account based on the first account information carried by the login request.

It should be noted that, the server may store the first account information of multiple accounts in advance, based on this, after receiving the login request, the server may query in the stored first account information to determine whether there is first account information consistent with the first account information carried by the login request in the stored first account information, so as to implement verification on validity of the target account.

Taking the example that the first account information comprises a target account and a password, a plurality of accounts can be registered in advance in a server, the passwords of the plurality of accounts are stored, after receiving a login request, the server can firstly inquire whether the target account exists in the registered plurality of accounts, and under the condition that the target account exists in the registered plurality of accounts, the password carried by the login request is checked based on the stored password of the target account, so that the validity of the target account is checked.

And step three, allowing the target account to log in under the condition that the validity of the target account is checked.

In one possible implementation manner, if the first account information carried by the login request is consistent with any stored first account information, the validity verification of the target account can be determined to pass, so that the target account can be allowed to login.

Taking the case that the first account information comprises the target account and the password as an example, when the target account exists in the registered multiple accounts and the stored password of the target account is consistent with the password carried by the login request, the validity verification of the target account can be determined to pass, and therefore the target account can be allowed to login.

In more possible implementations, the target account is rejected from logging in if the validity check of the target account fails.

It should be noted that the validity check of the target account number is not passed, that is, the first account number information carried by the login request is inconsistent with the stored plurality of first account number information. Taking the example that the first account information comprises the target account and the password, the validity verification of the target account is not passed, that is, the target account in the first account information carried by the login request is inconsistent with the stored multiple accounts, and/or the password in the first account information carried by the login request is inconsistent with the stored password of the target account.

By checking the legitimacy of the target account, under the condition that the legitimacy check of the target account passes, the target account is allowed to log in, so that the network security can be ensured, and the illegal account is prevented from logging in the network.

For ease of understanding, the process of implementing login through interaction between a terminal device and a server is described below, with reference to fig. 4, fig. 4 is a flowchart illustrating a login process according to an exemplary embodiment, which may include the steps of:

in step 401, the terminal device responds to a login operation of the target account, and generates a login request, wherein the login request carries first account information of the target account.

Step 402, the terminal device sends a login request to the server.

Step 403, the server receives a login request of the target account.

Step 404, the server verifies the validity of the target account based on the first account information carried by the login request.

Step 405, in the case that the validity verification of the target account passes, the server allows the target account to log in, and returns the identity source identifier of the target account to the terminal device.

It should be noted that the server may include a plurality of functional modules inside to provide different types of services, for example, the server may provide an authentication service and an information storage service for a user, so as to implement verification of validity of an account in a login process through the authentication service, and store identity source identifiers and account states of registered accounts in different target application programs through the information storage service. Referring to fig. 5, fig. 5 is a flowchart of a login process provided by an exemplary embodiment, and as shown in fig. 5, after a terminal device sends a login request to a server, the server may implement verification of validity of an account through an authentication service, and further return an identity source identifier of a target account to the terminal device.

The above-mentioned processes shown in fig. 4 and fig. 5 are merely flow descriptions of the login process, and specific implementation manners of each step may refer to each embodiment described above, which is not repeated herein.

It should be noted that, when the target account number is logged in the terminal device, the terminal device may implement network access through the logged-in target account number.

In some embodiments, if the target account is logged in for the first time on the terminal device, the target account may apply for issuing a network access certificate to the server through the terminal device, and apply for network access based on the issued network access certificate. If the target account number is not logged in for the first time on the terminal device, the target account number can directly apply for network access based on the issued network access certificate.

The processing procedure in the two cases of whether the target account is first registered will be described below.

1. The target account number is logged in for the first time on the terminal equipment

If the target account is logged in for the first time on the terminal device, the terminal device may generate a certificate acquisition request based on the second account information of the target account, so as to send the certificate acquisition request to the server, and the server may acquire an identity source identifier based on the second account information carried by the certificate acquisition request in response to receiving the certificate acquisition request of the target account, and add the identity source identifier to a network access certificate generated for the target account, so as to send the network access certificate to the terminal device corresponding to the target account.

Optionally, the second account information may include an account identifier of the target account and an institution identifier of an institution to which the target account belongs (e.g., an enterprise identifier of an enterprise to which the target account belongs), or the second account information may further include other types of information, where specific content included in the second account information is not limited in the present application.

The process of obtaining the account identifier of the target account may be that a user may input his own account on a visual interface of the terminal device, the terminal device may obtain the account input by the user as the account identifier of the target account in response to an input operation of the user, or the user may input his own account name on the visual interface of the terminal device, the terminal device may obtain the account name input by the user in response to an input operation of the user, so that the obtained account name is sent to the server, so that the server may obtain the account identifier of the target account based on the received account name.

The obtaining process of the mechanism identifier of the mechanism to which the target account belongs may be that the user may input the mechanism identifier of the mechanism to which the user belongs (such as an enterprise, an organization, etc.) on a visual interface of the terminal device, the terminal device may obtain the mechanism identifier input by the user as the mechanism identifier of the mechanism to which the target account belongs in response to an input operation of the user, or the user may input the mechanism name of the mechanism to which the user belongs on a visual interface of the terminal device, and the terminal device may obtain the mechanism name input by the user in response to an input operation of the user, so that the obtained mechanism name is sent to the server, so that the server may obtain the mechanism identifier of the mechanism to which the target account belongs based on the received mechanism name.

Taking the account identification of the target account and the mechanism identification of the mechanism to which the target account belongs as examples, when the server generates the network access certificate for the target account based on the second account information carried by the certificate acquisition request, the server can encrypt and calculate the account identification and the mechanism identification included in the second account information based on the set key to obtain the identity source identification.

In one possible implementation manner, the account identifier and the institution identifier included in the second account information may be calculated by using a hash encryption algorithm based on the set key, so as to obtain the identity source identifier. Alternatively, other encryption algorithms may be used to implement the above encryption calculation process, and the present application is not limited to what kind of encryption algorithm is specifically used.

The setting key may be a key obtained by performing encryption calculation based on the organization information (such as organization identifier), and optionally, the setting key may also be obtained by other manners, which is not limited in the specific obtaining manner of the setting key.

In the above process of generating the network access certificate for the target account, referring to fig. 6, fig. 6 is a flowchart of an exemplary embodiment of issuing a network access certificate, after obtaining an account identifier and an organization identifier, a server calculates a set key based on the organization identifier, and performs encryption calculation on the organization identifier and the account identifier based on the set key, thereby taking the result of the encryption calculation as an identity source identifier of the target account, and further adding the obtained identity source identifier to the network access certificate to obtain the network access certificate generated for the target account.

By adding the identity source identification of the target account number to the network access certificate, the network access certificate not only comprises basic information of the target account number, but also comprises the identity source identification of the target account number, and the identity source identification can be used for a verification process of the state of the subsequent account number.

After the network access certificate is generated through the process, the generated network access certificate can be returned to the terminal equipment corresponding to the target account, and the terminal equipment can store the received network access certificate so that the target account can access the network based on the network access certificate later.

For ease of understanding, the process of implementing the issuance of an access ticket through interaction between a terminal device and a server is described below, with reference to fig. 7, fig. 7 is a flowchart illustrating an access ticket issuance process according to an exemplary embodiment, which may include the steps of:

Step 701, the terminal device generates a certificate acquisition request based on second account information of the target account, where the certificate acquisition request carries the second account information.

Step 702, the terminal device sends a certificate acquisition request to the server.

Step 703, the server obtains an identity source identifier based on the second account information carried by the certificate obtaining request, and adds the identity source identifier to the network access certificate generated for the target account.

Step 704, the server returns the network access certificate to the terminal equipment.

It should be noted that the server may include a plurality of functional modules therein for providing different types of services, for example, the server may provide a certificate issuing service for a user so as to implement an issuing process of a network access certificate through the certificate issuing service. Referring to fig. 8, fig. 8 is a flowchart of a certificate issuing process provided in an exemplary embodiment, as shown in fig. 8, after a terminal device sends a certificate obtaining request carrying second account information to a server, the server may verify the second account information through a certificate issuing service, and further generate an access certificate based on the second account information when the second account information is verified, and then return the access certificate to the terminal device.

The foregoing fig. 7 and fig. 8 are merely flowcharts illustrating the issuing process of the network access certificate, and the specific implementation manner of each step may refer to each embodiment described above, which is not repeated herein.

The above process is described by taking the generation of the network access certificate based on the second account information carried by the certificate acquisition request as an example after the certificate acquisition request is received, in more possible implementation manners, before the network access certificate is generated for the target account based on the second account information carried by the certificate acquisition request, the second account information may be checked, and in the case that the second account information check passes, the network access certificate is generated for the target account based on the second account information carried by the certificate acquisition request.

For example, whether the second account information meets the set format may be checked, and if the second account information meets the set format, it may be determined that the second account information passes the check. Taking the example that the second account information comprises an account identifier and an organization identifier, whether the account identifier and the organization identifier meet a set format or not can be checked, so that the second account information is checked.

By checking the second account information first, and generating the network access certificate based on the second account information under the condition that the second account information passes the check, the network security can be improved.

2. The target account number is not first logged on the terminal equipment

It should be noted that, because the network access certificate is already generated for the target account when the target account logs in for the first time, when the target account logs in again, the network access can be directly realized based on the stored network access certificate without applying for issuing the network access certificate again.

Alternatively, the networking certificate involved in the above process may be a digital certificate, for example, the networking certificate may be an X509 digital certificate, or the networking certificate may be of another type, and the specific type of the networking certificate is not limited by the present application.

The process of implementing network access based on access credentials is described below.

It should be noted that, the target account may trigger the network access request through the terminal device, so as to send the network access request to the server, alternatively, the terminal device may send the network access request to the network device (such as an access controller, etc.), and the network device may send the network access request to the server, so that the server may receive the network access request from the terminal device, and then perform processing based on the network access certificate carried by the network access request.

In some embodiments, for step 301, when the validity of the network access certificate carried by the network access request is verified in response to receiving the network access request of the target account, whether the network access certificate is within the validity period or whether the signature of the network access certificate meets the signature format of the issuing mechanism or not is determined according to the signature format of the issuing mechanism, so as to realize verification of the validity of the network access certificate, and optionally, other manners may be adopted to realize verification of the validity of the network access certificate.

Taking checking whether the network access certificate is in the validity period as an example, checking the validity of the network access certificate, and under the condition that the network access certificate is in the validity period, determining that the validity check of the network access certificate passes. For another example, in the case that the validity of the network access certificate is checked by determining whether the signature of the network access certificate satisfies the signature format of the issuing authority according to the signature format of the issuing authority, if the signature of the network access certificate satisfies the signature format of the issuing authority, it is determined that the validity check of the network access certificate passes, and thus, the identity source identifier of the target account number can be obtained from the network access certificate through step 302.

When the server realizes the above-mentioned processes, the server can be realized by a container (or a processing area) for providing a network access request processing service in the server, and after the identity source identifier of the target account is obtained, the server can obtain the account state based on the obtained identity source identifier by using a container (or a processing area) for providing the identity source identifiers of the registered accounts in different target application programs and the storage service of the account state. Since the identity source identifier is obtained through encryption calculation, for step 303, when obtaining the account status of the target account based on the identity source identifier, the method may include the following steps:

step 3031, decrypting the identity source identifier by setting a private key to obtain an account identifier of the target account and an organization identifier of an organization to which the target account belongs.

Step 3032, based on the account identifier, acquiring the account state of the target account from the corresponding data storage position of the mechanism identifier in the server.

The corresponding data storage positions of different organization identifiers in the server can be different, so that the data storage positions for storing the account identifier and the account state of the target account can be determined firstly based on the organization identifiers, and the account state of the target account can be acquired from the determined data storage positions based on the account identifiers.

After the account status of the target account is obtained, network access control can be realized based on the obtained account status. In some embodiments, for step 304, when processing the network access request based on the account status, any of the following situations may be included:

In one possible implementation, in a case where the account status indicates that the target account is in the set state, the network access request is responded, that is, the network access request of the target account is accepted, and the target account is allowed to access the network, so that the target account can acquire data from the network.

In another possible implementation, the network access request is denied if the account status indicates that the target account is in a non-set state.

The setting state may be an incumbent state, and the non-setting state may include an off-job state, a shift state, and the like.

The above process of implementing network access control based on the network access certificate may refer to fig. 9, and fig. 9 is a flowchart of a network access control process shown in an exemplary embodiment, after receiving a network access request, a server may first check the validity of the network access certificate, and if it is determined that the network access certificate is invalid, the server may directly reject the network access request. And under the condition that the network access certificate is effective, the server can continue to process the network access request, namely, the server can extract the identity source identifier of the target account number from the network access certificate and calculate the set key by using the mechanism identifier, so that the identity source identifier can be decrypted based on the set key to obtain the mechanism identifier and the account number identifier, thereby determining the corresponding data storage position of the server according to the mechanism identifier, inquiring the account number state according to the account number identifier in the corresponding data storage position, and judging the processing method of the network access request according to the account number state, namely, accepting the network access request under the condition that the account number state is the set state, and rejecting the network access request under the condition that the account number state is the non-set state.

For ease of understanding, the process of implementing issuance of an access credential through interaction between a terminal device and a server is described below, with reference to fig. 10, fig. 10 is a flowchart illustrating a network admission control process according to an exemplary embodiment, which may include the steps of:

In step 1001, the terminal device sends a network access request to the server, where the network access request carries a network access certificate.

Step 1002, the server responds to the network access request of the target account, and verifies the validity of the network access certificate carried by the network access request.

Step 1003, the server acquires an identity source identifier of the target account number with uniqueness in the target application program from the access certificate when the validity of the access certificate passes.

Step 1004, the server obtains an account status of the target account based on the identity source identifier.

Step 1005, the server processes the network access request based on the account status.

It should be noted that the server may include a plurality of functional modules therein for providing different types of services, for example, the server may provide a network access service for a user, so as to implement control over network access through the network access service. Referring to fig. 11, fig. 11 is a flowchart of a network admission control process provided in an exemplary embodiment, where, as shown in fig. 11, a terminal device may send a network access request to a server, and after receiving the network access request, the server checks the validity of a certificate through a network admission service, and if the check is passed, queries an account status of a target account according to an identity source identifier of the target account, and determines a network access authentication result according to the queried account status, so as to approve or reject network access of the target account according to the network access authentication result.

The foregoing fig. 10 and fig. 11 are merely flowcharts illustrating a network admission control procedure, and specific implementation manners of each step may refer to each foregoing embodiment, which is not repeated herein.

It should be noted that, the network access service may include a dynamic verification module, so that the dynamic verification process of the network access service shown in fig. 11 may be implemented through the dynamic verification module.

Through the above embodiments, even if the access certificate is valid, the effect that the network cannot be accessed when the account state is not the set state can be achieved. Meanwhile, if the target account number is restored to the set state, correspondingly, the account number state of the identity source identifier of the target account number in the target application program can be restored to the set state, and the network can be continuously accessed later without re-issuing the network certificate.

In addition, the scheme provided by the application can realize real-time verification of the account state of the target account according to the identity source identifier during network access authentication of the target account without using a multi-factor authentication mode, and the use process of a user is not influenced, so that the user experience is not reduced. In addition, the scheme provided by the application does not need to build a complex PKI infrastructure, and the network access service does not need to be in butt joint with the OCSP service (because the scheme provided by the application does not need to verify whether the certificate is revoked), so that the complexity of the system can be reduced.

The above process is described by taking a method for dividing different containers (or processing areas) in a server to implement the processing method of the network access request according to the present application as an example, in more possible implementation manners, the server may include a first server and at least one second server, where the first server may be used to provide a network access request processing service for the at least one second server, and the second server may be a background server corresponding to a target application program used by an institution to which the target account belongs, where the second server is at least used to store an identity source identifier and an account status of a registered account in the target application program.

In this case, the method for processing an access request provided by the present application may refer to fig. 12, and fig. 12 is a flowchart illustrating a method for processing an access request according to an exemplary embodiment, where the method may be applied to a first server, as shown in fig. 12, and the method may include the following steps:

Step 1201, in response to receiving the network access request of the target account, verifying the validity of the network access certificate carried by the network access request.

Step 1202, under the condition that the validity of the network access certificate passes, acquiring an identity source identifier of the target account number with uniqueness in the corresponding second server from the network access certificate.

Step 1203, acquiring an account status of the target account from the second server based on the identity source identifier.

And step 1204, processing the network access request based on the account status.

By adopting the first server and the second server to realize different functions, data between the first server and the second server cannot be confused, so that the safety of the data can be improved.

Based on the embodiment shown in fig. 12, the above process of implementing the login of the target account and verifying the validity of the network access certificate and related content may be performed by the first server, and the description of the above content may be referred to the above embodiment and will not be repeated herein.

Under the condition that the validity verification of the network access certificate passes, the first server can determine the target application program used by the mechanism to which the target account belongs according to the mechanism identifier to which the target account belongs, and further acquire the account state of the target account from a background server (namely a second server) of the target application program, so that a subsequent process is executed based on the acquired account state, and description about the acquired account state and the subsequent process can be found in the above embodiments, which are not repeated herein.

Corresponding to the embodiments of the aforementioned method, the present description also provides embodiments of the apparatus and the server to which it is applied.

Referring to fig. 13, fig. 13 is a block diagram of an apparatus for processing an access request according to an exemplary embodiment, where the apparatus includes:

The verification module 1301 is configured to, in response to receiving a network access request of the target account, verify validity of a network access certificate carried by the network access request;

The identifier obtaining module 1302 is configured to obtain, from the network access certificate, an identity source identifier of the target account number that has uniqueness in the target application program, where the validity of the network access certificate passes;

The state acquisition module 1303 is configured to acquire an account state of the target account based on the identity source identifier;

the processing module 1304 is configured to process the network access request based on the account status.

the state obtaining module 1303, when configured to obtain an account state of the target account based on the identity source identifier, is configured to:

In some embodiments, the processing module 1304, when configured to process an access request based on account status, is configured to either:

In some embodiments, the apparatus further comprises:

The verification module 1301 is further configured to verify validity of the target account based on the first account information carried by the login request;

In some embodiments, the identifier obtaining module 1302 is further configured to, in response to receiving a certificate obtaining request of the target account, obtain, based on the second account information carried by the certificate obtaining request, an identity source identifier when the target account is logged in for the first time;

The apparatus further comprises:

The identifier obtaining module 1302, when configured to obtain the identity source identifier based on the second account information carried by the certificate obtaining request, is configured to:

In some embodiments, the verification module 1301 is further configured to verify the second account information, and execute the step of obtaining the identity source identifier based on the second account information carried by the certificate obtaining request, and adding the identity source identifier to the network access certificate generated for the target account when the second account information passes the verification.

For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The present application also provides a server, and referring to fig. 14, fig. 14 is a schematic structural diagram of a server according to an exemplary embodiment. Referring to fig. 14, at a hardware level, the server includes a processor 1402, an internal bus 1404, a network interface 1406, a memory 1408, and a nonvolatile memory 1410, and may include hardware required for implementing other functions. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 1402 reading a corresponding computer program from the non-volatile storage 1410 into the memory 1408 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.

The application also provides a computer program product, which comprises a computer program, and the computer program realizes the processing method of the network access request provided by any embodiment of the application when being executed by a processor.

The apparatus or module set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.

In a typical configuration, a computer includes one or more processors (Central Processing Unit, CPU), input/output interfaces, network interfaces, and memory.

The Memory may include volatile Memory, random access Memory (Random Access Memory, RAM), and/or nonvolatile Memory in a computer-readable medium, such as Read-Only Memory (ROM) or flash RAM. Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase-change Memory (PRAM), static Random-Access Memory (SRAM), dynamic Random-Access Memory (Dynamic Random Access Memory, DRAM), other types of Random-Access Memory (RAM), read-only Memory (ROM), electrically erasable programmable read-only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY, EEPROM), flash Memory or other Memory technology, read-only compact disc read-only Memory (Compact Disc Read Only Memory, CD-ROM), digital versatile discs (Digital Video Disc, DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum Memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission media, which may be used to store information that may be accessed by the server. Computer-readable media, as defined herein, does not include transitory computer-readable media (Transitory Media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The term "if" as used herein may be interpreted as "at..once" or "when..once" or "in response to a determination", depending on the context.

The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims

1. A method for processing a network access request, the method being applied to a server, the method comprising:

under the condition that the validity of the network access certificate passes, acquiring an identity source identifier with uniqueness of the target account number in a target application program from the network access certificate;

Acquiring an account state of the target account based on the identity source identifier;

Processing the network access request based on the account status;

The identity source identification is obtained by setting a secret key to encrypt an account identification of the target account and an institution identification of an institution to which the target account belongs;

the obtaining the account status of the target account based on the identity source identifier includes:

decrypting the identity source identifier by setting a private key to obtain an account identifier of the target account and an organization identifier of an organization to which the target account belongs;

2. The method of claim 1, wherein the processing the network access request based on the account status comprises any one of:

3. The method according to claim 1, wherein, before the step of verifying the validity of the network access certificate carried by the network access request in response to receiving the network access request of the target account, the method further comprises:

receiving a login request of the target account, wherein the login request carries first account information;

4. A method according to claim 3, wherein, in the event that the validity of the target account passes, the method further comprises, after allowing the target account to log in:

Under the condition that the target account is logged in for the first time, responding to a received certificate acquisition request of the target account, acquiring the identity source identifier based on second account information carried by the certificate acquisition request, and adding the identity source identifier into a network access certificate generated for the target account;

5. The method of claim 4, wherein the second account information includes at least an account identifier of the target account and an institution identifier of an institution to which the target account belongs;

the obtaining the identity source identifier based on the second account information carried by the certificate obtaining request includes:

And based on the set key, carrying out encryption calculation on the account identification and the mechanism identification included in the second account information to obtain the identity source identification.

6. The method according to claim 4, wherein the acquiring the identity source identifier based on the second account information carried by the certificate acquisition request, and before adding the identity source identifier to the network entry certificate generated for the target account, the method further comprises:

And checking the second account information, and executing the step of acquiring the identity source identifier based on the second account information carried by the certificate acquisition request and adding the identity source identifier into the network access certificate generated for the target account when the second account information passes the check.

7. The method according to claim 1, wherein the servers include a first server and at least one second server, the first server is configured to provide a network access request processing service for the at least one second server, the second server is a background server corresponding to a target application program used by an organization to which the target account belongs, and the second server is configured to at least store an identity source identifier and an account status of a registered account in the target application program.

8. A processing apparatus for a network access request, the apparatus being applied to a server, the apparatus comprising:

The verification module is used for responding to a network access request of a target account number and verifying the validity of a network access certificate carried by the network access request;

The identification acquisition module is used for acquiring an identification source identification with uniqueness of the target account number in the target application program from the network access certificate under the condition that the validity of the network access certificate is checked to pass;

the processing module is used for processing the network access request based on the account number state;

9. A server for a server, which comprises a server and a server, characterized by comprising the following steps:

A processor;

A memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of processing an access request according to any one of claims 1 to 7 by executing the executable instructions.

10. A computer readable storage medium having stored thereon computer instructions, which when executed by a processor implement a method of processing a request for network access according to any of claims 1 to 7.