Security protection method specific to unauthorized access

Abstract

The invention discloses a security protection method specific to unauthorized access. The security protection method comprises determining whether a user logins or not according to the server session information and turning to a login interface if the user does not login; performing the authorization check further if the user logins; obtaining the login information of the current user in the server session; obtaining an authorization list from an authorization platform according to the login information of the current user, wherein the current user has access to the authorization list; obtaining a menu code and a button code which are corresponding to a request according to an annotation of an action method of the user request; checking whether the menu code and the button code of the user request are in the authorization list of the user or not and throwing out an unauthorized operation exception if the user request is not in the authorization list; prompting the user that the request is invalid due to the unauthorized operation. The security protection method specific to the unauthorized access is simple and efficient.

Description

technical field [0001] The invention belongs to the field of enterprise security, in particular to a security prevention method for unauthorized access. Background technique [0002] The permission control of enterprise applications often determines which menus and buttons can be used by logged-in users. For unauthorized menus and buttons, the system generally hides or grays them out so that users cannot click them, thereby achieving the purpose of permission control. [0003] Under the J2EE framework, the HTTP protocol is used for communication between the client and the server. The TCP session cannot be maintained between multiple requests of the HTTP protocol, and only the session information in the HTTP header can be used for identification. Illegal HTTP requests reach the possibility of unauthorized operations. [0004] The general attack steps are as follows figure 1 Shown: [0005] 1. The user logs in on the server through the browser, and enters the correct user n...

AI Technical Summary

Problems solved by technology

[0006] 2. The server passes the verification of the user name and password, establishes corresponding session information on the server to record the current user's login status, and displays the corresponding operation interface according to the login user's authority, and hides or hides the menus and buttons that the user cannot use Grayed out, making it unusable for users

[0012] 1. The main body of the background authorization is inconsistent with the front desk. The front desk faces menus and buttons, and the background faces database tables or back-end methods. There is repeated authorization work, and there is a hidden danger of inconsistent user permissions.

[0013] 2. A lot of permission verification codes are added in the background, and the permission verification codes and business codes are mixed together, which increases the code complexity and coding workload, and also increases the hidden danger of bugs

Images