应用系统与iam系统之间的无应用改造对接方法及系统

Application-free reconstruction docking method and system between application system and IAM system

文档序号：7927 发布日期：2021-09-17 浏览：57次中文

1. The application-free reconstruction docking method between the application system and the IAM system is characterized by comprising the following steps:

step 1), capturing the authority of an application system, and collecting application interface layered pages; the specific process is as follows:

step 11), acquiring a target application system data set;

step 12), sending a simulated login data packet carrying an account number and a password to a target application system to obtain a returned cookie;

step 13), importing the obtained cookie into a page crawling program, performing page crawling on a target application system, and sending the crawled page data to a message bus;

step 14), the data storage node acquires data from the message bus and stores the data in a database;

step 2), analyzing and sorting the captured application system page, and establishing a corresponding relation between an API interface and the application system page which are in butt joint with the IAM system; the specific process is as follows:

step 21), extracting the data in the database in the step 14), and classifying and labeling the data based on preset rules;

step 22), adding a time stamp to the field analyzed by the classified and labeled result in the step 21), and establishing an index to store the index into a database;

step 23), obtaining application system page information from the database in the step 22), and establishing a corresponding relation between the application system page and the API interface according to the preset authority information;

and step 3), realizing authority docking and data interaction between the application system and the IAM system, and comprising the following specific processes:

step 31), when receiving a user access request to an application system in a nano management range, redirecting to a Portal authentication page of the IAM;

step 32), after receiving the redirection with the authentication ticket, initiating a ticket verification request to the IAM system;

step 33), after the ticket authentication result is obtained, authority information of the third-party application account is obtained according to the ticket;

step 34), after the user logs in the portal, a POST method is adopted to obtain an application authorization list of the user;

and step 35) comparing the authorization information with the classified and labeled data in the step 21) to complete the single-page permission/rejection communication operation of the application system.

2. The method according to claim 1, wherein in step 11), the target application system data set comprises a target application system address and a highest-authority account password.

3. The no-application-modification docking method between the application system and the IAM system according to claim 1, wherein in step 21), the data is classified into authority login interface data, function module interface data, and system management interface data based on a preset rule.

4. The system is characterized by comprising an application system authority capturing module, an authority agent module and an authority docking module;

the application system permission capture module is used for capturing the application system permission and acquiring an application interface layered page; the concrete contents are as follows:

inputting a target application data set to an application system permission capture module; the application system permission capture module sends a simulated login data packet carrying an account number and a password to a target application system to obtain a returned cookie; then, the obtained cookie is imported into a page crawling program, page crawling is carried out on a target application system, and the crawled page data are sent to a message bus; the data storage node acquires data from the message bus and stores the data into a storage;

the authority proxy module is used for analyzing and sorting the captured application system page and establishing a corresponding relation between an API (application programming interface) interface in butt joint with the IAM (inter-integrated access model) and the application system page; the concrete contents are as follows:

the authority agent module extracts the data obtained by the application system authority capturing module, and classifies and labels the data based on preset rules; then adding a timestamp to the field analyzed by the classified and labeled result, and establishing an index for storage; acquiring application system page information from a database, and establishing a corresponding relation between an application system page and an API interface according to preset authority information;

the authority docking module is used for realizing authority docking and data interaction between the application system and the IAM system; the concrete contents are as follows:

when the access request of the user to the application system in the management range is received by the authority docking module, the Portal authentication page of the IAM is redirected; after receiving the redirection with the authentication ticket, initiating a ticket verification request to the IAM; after obtaining the ticket authentication result, obtaining the authority information of the third-party application account according to the ticket; after a user logs in a portal, acquiring an application authorization list of the user by adopting a POST (POST position) method; and comparing the authorization information with the classified marking data of the authority agent module to complete the single-page permission/refusal communication operation of the application system.

5. The system of claim 1, wherein the data set of the target application system comprises a target application system address and a highest-permission account password in the application system permission capture module.

6. The system according to claim 1, wherein the right agent module classifies data into right login interface data, function module interface data, and system management interface data based on a predetermined rule.

Background

With the continuous development of information technology, information security and information leakage accidents at home and abroad frequently occur, and the security of enterprise information assets is seriously threatened by the continuously rising hacker attack, lasso, phishing and malicious software attack, so that enterprises suffer huge economic loss. In addition to external attacks, the "participation" of insiders will further increase the likelihood and impact of events, such as giving employees or contractors a risk of sensitive data leakage when they exceed the access rights required for their duties. As a result, businesses are increasingly placing emphasis on risk identification and control of "people". The mature IAM system may increase enterprise protection of information assets, address enterprise identity rights management needs, and meet regulatory and security requirements by ensuring that user access rules and policies are consistently applied throughout the organization.

However, when an enterprise deploys the IAM system, it is often found that the existing application system is difficult to interface, an authority control module of the existing application system cannot meet the requirement of refined authority control based on the IAM, and a large amount of development and modification work is required, but the application system is difficult to develop and modify in an earlier stage, a part of system maintenance teams and even source codes are not searched, and the IAM system cannot be really implemented based on the reasons, so that the efficacy of the IAM system is greatly weakened.

In order to solve the problems, the invention deeply researches the authority butt joint of an application system and an IAM system by combining the technologies of data acquisition, data cleaning, data analysis and machine learning.

Disclosure of Invention

The invention aims to solve the technical problems that an IAM system cannot normally exert a refined authority control function due to the fact that an application system constructed in the prior art is difficult to modify and large in investment, and provides an authority docking method and an authority docking system for non-application modification between the application system and the IAM system, so that the IAM identity authority system construction cost is reduced, the construction effect is improved, and the IAM obtains the refined authority control of the application system while the application system is not developed and modified.

Therefore, the invention is realized by the following technical scheme: the application-free reconstruction docking method between the application system and the IAM system comprises the following steps: