Resource access method, system, device, terminal and storage medium

HK40083872BActive Publication Date: 2026-07-10TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
HK · HK
Patent Type
Patents
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2023-05-19
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In existing technologies, the security of resource access is relatively poor, mainly because the verification information for resource access requests is insufficient, resulting in incomplete verification.

Method used

By intercepting resource access requests at the terminal, verifying status information, and further verifying the resource access request based on access control information after successful verification, including verification of user identifiers, process information, etc., combined with the verification process of the management server and access gateway, the security of resource access is ensured.

Benefits of technology

It improves the security of resource access by enhancing terminal security through a real-time verification process, ensuring the legitimacy and validity of resource access.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

The embodiment of the application discloses a resource access method, system and device, a terminal and a storage medium, and belongs to the technical field of computers. The method comprises the following steps: based on first access control information, intercepting a resource access request sent by a first client, wherein the first access control information indicates that the resource access request is intercepted and a verification operation is performed in the case that any client in a terminal sends the resource access request; verifying state information of the terminal at present; in the case that the state information verification is passed, verifying the resource access request based on the first access control information; and in the case that the resource access request verification is passed, performing resource access based on the resource access request. The method combines the verification of the state information and the verification of the resource access request, increases the verified information, makes the verification process more perfect, and improves the security of the resource access.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and in particular to a resource access method, system, device, terminal and storage medium. Background Technology

[0002] With the rapid development of computer technology and the internet, many users can access online resources through terminals. To ensure access security, related technologies pre-configure access control information for each client. When a client begins to access resources, the access control information is used to verify the resource access request initiated by the client. However, these technologies only verify the resource access request, and the verification information is limited, resulting in poor security for resource access. Summary of the Invention

[0003] This application provides a resource access method, system, device, terminal, and storage medium, which improves the security of resource access. The technical solution is as follows:

[0004] On the one hand, a resource access method is provided, the method comprising:

[0005] Based on the first access control information, the resource access request sent by the first client is intercepted, and the first access control information indicates that if any client in the terminal sends a resource access request, the resource access request is intercepted and a verification operation is performed.

[0006] Verify the current status information of the terminal;

[0007] If the status information verification passes, the resource access request is verified based on the first access control information;

[0008] If the resource access request is verified, resource access is performed based on the resource access request.

[0009] Optionally, verifying the user identifier includes:

[0010] If the user identifier belongs to the target identifier set, it is determined that the user identifier has passed verification, and the user identifiers included in the target identifier set have the permission to access the resource.

[0011] Optionally, after obtaining the first process information corresponding to the process identifier from the first client based on the process identifier when the status information verification is successful, the method further includes:

[0012] If the management client does not store the process information corresponding to the process identifier, it sends the authentication request to the management server.

[0013] Receive the verification result returned by the management server.

[0014] Optionally, if the status information verification passes, verifying the resource access request based on the first access control information includes:

[0015] Within a target time period after the status information verification is successful, the resource access request is verified based on the first access control information.

[0016] Optionally, after verifying the current state information of the terminal, the method further includes:

[0017] If the status information verification fails, the resource access request is deleted.

[0018] Optionally, after verifying the resource access request based on the first access control information when the status information verification is successful, the method further includes:

[0019] If the resource access request fails verification, the resource access request is deleted.

[0020] Optionally, the resource access request carries a process identifier. After verifying the resource access request based on the first access control information if the status information verification passes, the method further includes:

[0021] If the resource access request fails to be verified, the target process corresponding to the process identifier is deleted.

[0022] Optionally, the management client includes a first sub-client and a second sub-client;

[0023] The first sub-client is used to intercept resource access requests and forward the resource access requests;

[0024] The second sub-client is used to verify the status information and the resource access request.

[0025] On the other hand, a resource access method is provided, the method comprising:

[0026] The receiving terminal sends an authentication request through the management client. The authentication request carries first process information, which corresponds to the process identifier carried in the resource access request intercepted by the management client. The first process information is obtained from the first client that sent the resource access request. The process identifier indicates the process in the first client that requests resource access.

[0027] Based on the second access control information, the authentication request is verified, and the verification result of the authentication request is returned to the terminal. The terminal is used to receive the verification result and, if the verification result indicates that the resource access request has been verified, to access the resource based on the resource access request. The second access control information indicates that a verification operation is performed when the authentication request is received.

[0028] Optionally, the authentication request also carries the process identifier, and the verification of the authentication request includes:

[0029] If the process identifier belongs to the process identifier set, the first process information is verified. The process identifier set includes process identifiers corresponding to processes that are allowed to access resources.

[0030] Optionally, verifying the first process information includes:

[0031] If the first process information matches the third process information, the verification of the first process information is deemed successful, and the third process information is the process information stored in the local device corresponding to the process identifier; or,

[0032] If the local device does not store process information corresponding to the process identifier, it sends the authentication request to the cloud server and receives the verification result of the first process information returned by the cloud server. The cloud server stores the latest process information, and the cloud server is used to verify the first process information based on the authentication request.

[0033] Optionally, after verifying the first process information, the method further includes:

[0034] Receive third-party process information sent by the cloud server;

[0035] The process identifier is stored in correspondence with the third process information.

[0036] On the other hand, a resource access method is provided, the method comprising:

[0037] The receiving terminal sends a network request, which is sent by the terminal after the management server has verified the terminal's resource access request. The network request carries the verification credentials sent by the management server to the terminal.

[0038] Based on the third access control information, a verification request carrying the verification credential is sent to the management server. The management server is used to verify the verification credential. The third access control information indicates that a verification operation should be performed upon receiving a network request.

[0039] If the management server verifies the authentication credentials, a connection is established with the terminal, and the connection is used by the terminal to send the resource access request.

[0040] On the other hand, a resource access system is provided, which includes a terminal and a management server;

[0041] The terminal is configured to intercept resource access requests sent by a first client based on first access control information by managing the client. The first access control information indicates that the resource access request should be intercepted and a verification operation should be performed if any client in the terminal sends a resource access request.

[0042] The terminal is also used to verify the current status information of the terminal;

[0043] The terminal is further configured to send an authentication request to the management server based on the first access control information when the status information verification is successful. The authentication request carries first process information, which corresponds to the process identifier carried in the resource access request and is obtained from the first client. The process identifier indicates the process in the first client that requests resource access.

[0044] The management server is configured to verify the authentication request based on the second access control information, and return the verification result of the authentication request to the terminal. The second access control information indicates that a verification operation should be performed upon receiving the authentication request.

[0045] The terminal is also configured to receive the verification result, and, if the verification result indicates that the resource access request has been verified, to access the resource based on the resource access request.

[0046] On the other hand, a resource access device is provided, the device comprising:

[0047] The request interception module is used to intercept resource access requests sent by a first client based on first access control information, wherein the first access control information indicates that the resource access request should be intercepted and a verification operation should be performed if any client in the terminal sends a resource access request.

[0048] The first verification module is used to verify the current status information of the terminal;

[0049] The second verification module is used to verify the resource access request based on the first access control information if the status information verification is successful.

[0050] The resource access module is used to access resources based on the resource access request if the resource access request is verified.

[0051] Optionally, the request interception module is used to intercept the resource access request based on the first access control information through a management client, wherein the management client is used to perform resource access control on the client in the terminal.

[0052] Optionally, the status information includes network information, and the first verification module includes:

[0053] The first verification unit is used to obtain network information corresponding to the network currently connected to the terminal;

[0054] The first verification unit is further configured to, if the network information matches the target network information, determine that the status information verification is successful, and that the target network information is network information corresponding to a secure network; or...

[0055] The status information also includes a user identifier that is logged into the management client. The first verification unit is further configured to verify the user identifier when the network information does not match the target network information, and to determine that the status information verification is successful when the user identifier is successfully verified.

[0056] Optionally, the status information includes resource type, and the first verification module includes:

[0057] The second verification unit is used to obtain the resource type to which the resource requested by the resource access request belongs;

[0058] The second verification unit is further configured to, when the resource type is a public resource type, determine that the status information verification is successful, and that the resource belonging to the public resource type is a resource that allows access by clients with any user ID to log in; or,

[0059] The status information also includes a user identifier that is logged into the management client. The second verification unit is further configured to verify the user identifier when the resource type is a non-public resource type, and to determine that the status information verification is successful when the user identifier is successfully verified.

[0060] Optionally, the first verification module is configured to determine that the user identifier has been verified if the user identifier belongs to the target identifier set, and that the user identifiers included in the target identifier set have the right to access resources.

[0061] Optionally, the status information includes client information of each client installed on the terminal, and the first verification module includes:

[0062] The third verification unit is used to obtain the current client information of each client installed on the terminal and verify the client information.

[0063] The second verification module is used to verify the resource access request based on the first access control information, provided that all client information has been verified successfully.

[0064] Optionally, the request interception module includes:

[0065] The first interception unit is configured to intercept the resource access request when the management client is in a first interception mode, wherein the first interception mode indicates that any resource access request sent by any client in the terminal to access any resource will be intercepted; or...

[0066] The second interception unit is configured to intercept the resource access request when the management client is in the second interception mode and the target address carried by the resource access request belongs to the first address set. The second interception mode indicates that any resource access request sent by any client in the terminal for accessing non-public resources should be intercepted. The first address set includes addresses of non-public resources.

[0067] Optionally, the resource access request carries a process identifier, the process identifier indicating the process requesting resource access, the first access control information indicating a verification operation of the process information corresponding to the process identifier, and the second verification module being used for:

[0068] If the status information verification is successful, the first process information corresponding to the process identifier is obtained from the first client based on the process identifier;

[0069] Based on the process identifier, obtain the second process information corresponding to the process identifier from the management client;

[0070] If the first process information matches the second process information, an authentication request is sent to the management server corresponding to the management client. The authentication request carries the first process information. The management server is used to verify the authentication request based on the second access control information. The second access control information indicates that a verification operation is performed when the authentication request is received.

[0071] Receive the verification result returned by the management server.

[0072] Optionally, the second verification module is used for:

[0073] If the management client does not store the process information corresponding to the process identifier, it sends the authentication request to the management server.

[0074] Receive the verification result returned by the management server.

[0075] Optionally, the resource access module is used for:

[0076] If the resource access request passes verification, the management client sends the resource access request to the business server, which then returns the target resource corresponding to the resource access request; or...

[0077] If the resource access request is successfully verified, the resource access request is sent to the business server through the management client and the access gateway.

[0078] Optionally, the resource access module is used for:

[0079] The management client sends a network request to the access gateway. The network request carries the verification credentials sent to the terminal by the management server corresponding to the management client. The access gateway is used to send a verification request carrying the verification credentials to the management server based on third access control information. The management server is used to verify the verification credentials and return the verification result to the access gateway. The access gateway is also used to establish a connection between the access gateway and the terminal if the verification credentials are verified successfully. The third access control information indicates that a verification operation should be performed when a verification request is received.

[0080] Based on the established connection, the resource access request is sent to the access gateway, which is used to send the resource access request to the business server.

[0081] Optionally, the second verification module is used for:

[0082] Within a target time period after the status information verification is successful, the resource access request is verified based on the first access control information.

[0083] Optionally, the device further includes:

[0084] The request deletion module is used to delete the resource access request if the status information verification fails.

[0085] Optionally, the device further includes:

[0086] The request deletion module is used to delete the resource access request if the resource access request fails verification.

[0087] Optionally, the resource access request carries a process identifier, and the apparatus further includes:

[0088] The process cleanup module is used to clean up the target process corresponding to the process identifier if the resource access request verification fails.

[0089] Optionally, the management client includes a first sub-client and a second sub-client;

[0090] The first sub-client is used to intercept resource access requests and forward the resource access requests;

[0091] The second sub-client is used to verify the status information and the resource access request.

[0092] On the other hand, a resource access device is provided, the device comprising:

[0093] An authentication request receiving module is used to receive an authentication request sent by a terminal through a management client. The authentication request carries first process information, which corresponds to the process identifier carried in the resource access request intercepted by the management client. The first process information is obtained from the first client that sent the resource access request. The process identifier indicates the process in the first client that requests resource access.

[0094] The verification module is used to verify the authentication request based on the second access control information and return the verification result of the authentication request to the terminal. The terminal is used to receive the verification result and, if the verification result indicates that the resource access request has been verified, to access the resource based on the resource access request. The second access control information indicates that a verification operation is performed when the authentication request is received.

[0095] Optionally, the authentication request also carries the process identifier. The verification module is used to verify the first process information if the process identifier belongs to a set of process identifiers, wherein the set of process identifiers includes process identifiers corresponding to processes that are allowed to access resources.

[0096] Optionally, the verification module is used for:

[0097] If the first process information matches the third process information, the verification of the first process information is deemed successful, and the third process information is the process information stored in the local device corresponding to the process identifier; or,

[0098] If the local device does not store process information corresponding to the process identifier, it sends the authentication request to the cloud server and receives the verification result of the first process information returned by the cloud server. The cloud server stores the latest process information, and the cloud server is used to verify the first process information based on the authentication request.

[0099] Optionally, the device further includes:

[0100] A storage module is used to receive third-party process information sent by the cloud server;

[0101] The storage module is also used to store the process identifier and the third process information in correspondence.

[0102] On the other hand, a resource access device is provided, the device comprising:

[0103] A network request receiving module is used to receive network requests sent by a terminal. The network request is sent by the terminal after the management server has verified the terminal's resource access request. The network request carries the verification credentials sent by the management server to the terminal.

[0104] The verification request sending module is used to send a verification request carrying the verification credential to the management server based on third access control information. The management server is used to verify the verification credential. The third access control information indicates that a verification operation should be performed when a network request is received.

[0105] The connection establishment module is used to establish a connection with the terminal when the management server verifies the verification credentials, and the connection is used by the terminal to send the resource access request.

[0106] On the other hand, a terminal is provided, the terminal including a processor and a memory, the memory storing at least one computer program, the at least one computer program being loaded and executed by the processor to perform the operations performed by the resource access method described above.

[0107] On the other hand, a management server is provided, the management server including a processor and a memory, the memory storing at least one computer program, the at least one computer program being loaded and executed by the processor to perform the operations performed by the resource access method described above.

[0108] On the other hand, an access gateway is provided, the access gateway including a processor and a memory, the memory storing at least one computer program, the at least one computer program being loaded and executed by the processor to implement the operations performed by the resource access method described above.

[0109] On the other hand, a computer-readable storage medium is provided that stores at least one computer program, which is loaded and executed by a processor to perform the operations performed by the resource access method as described above.

[0110] On the other hand, a computer program product is provided, including a computer program that, when executed by a processor, implements the operations performed by the resource access method described above.

[0111] The beneficial effects of the technical solutions provided in this application include at least the following:

[0112] In this embodiment, to ensure the security of the terminal during resource access, the current state information of the terminal is first verified. Then, if the state information verification passes, i.e., if the terminal is currently secure, the resource access request is verified based on the first access control information. Resource access is then granted only if the resource access request verification passes. Combining the verification of state information and the verification of resource access requests not only increases the amount of verification information but also enables real-time verification of the terminal due to the terminal's current state information. This makes the verification process more comprehensive and improves the security of resource access. Attached Figure Description

[0113] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0114] Figure 1 This is a schematic diagram of a resource access system provided in an embodiment of this application;

[0115] Figure 2 This is a schematic diagram of another resource access system provided in an embodiment of this application;

[0116] Figure 3 This is a schematic diagram of another resource access system provided in an embodiment of this application;

[0117] Figure 4 This is a flowchart of a resource access method provided in an embodiment of this application;

[0118] Figure 5 This is a flowchart of a resource access method provided in an embodiment of this application;

[0119] Figure 6 This is a flowchart of a resource access method provided in an embodiment of this application;

[0120] Figure 7 This is a schematic diagram of a gateway configuration interface provided in an embodiment of this application;

[0121] Figure 8 This is a schematic diagram of a strategy management interface provided in an embodiment of this application;

[0122] Figure 9 This is a schematic diagram of a business system configuration interface provided in an embodiment of this application;

[0123] Figure 10 This is a schematic diagram of a resource configuration interface provided in an embodiment of this application;

[0124] Figure 11 This is a schematic diagram of another business system configuration interface provided in an embodiment of this application;

[0125] Figure 12 This is a schematic diagram of another gateway configuration interface provided in an embodiment of this application;

[0126] Figure 13 This is a schematic diagram of a client configuration interface provided in an embodiment of this application;

[0127] Figure 14 This is a flowchart of a resource access method provided in an embodiment of this application;

[0128] Figure 15 This is a schematic diagram of a login interface provided in an embodiment of this application;

[0129] Figure 16 This is a schematic diagram of a display interface provided in an embodiment of this application;

[0130] Figure 17 This is a schematic diagram of a verification interface provided in an embodiment of this application;

[0131] Figure 18 This is a schematic diagram of a prompt interface provided in an embodiment of this application;

[0132] Figure 19 This is a schematic diagram of a detection interface provided in an embodiment of this application;

[0133] Figure 20 This is a schematic diagram of another prompt interface provided in an embodiment of this application;

[0134] Figure 21 This is a schematic diagram of a resource access method provided in an embodiment of this application;

[0135] Figure 22 This is a flowchart of a resource access method provided in an embodiment of this application;

[0136] Figure 23 This is a schematic diagram of the structure of a resource access device provided in an embodiment of this application;

[0137] Figure 24 This is a schematic diagram of the structure of a resource access device provided in an embodiment of this application;

[0138] Figure 25 This is a schematic diagram of the structure of a resource access device provided in an embodiment of this application;

[0139] Figure 26 This is a schematic diagram of the structure of a terminal provided in an embodiment of this application;

[0140] Figure 27 This is a schematic diagram of the structure of a server provided in an embodiment of this application. Detailed Implementation

[0141] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the implementation methods of this application will be further described in detail below with reference to the accompanying drawings.

[0142] It is understood that the terms "first," "second," etc., used in this application may be used to describe various concepts herein, but unless otherwise specified, these concepts are not limited by these terms. These terms are only used to distinguish one concept from another. For example, without departing from the scope of this application, first process information may be referred to as second process information, and second process information may be referred to as first process information.

[0143] As used in this application, the terms "at least one," "multiple," "each," and "any" mean, respectively, "at least one" includes one, two, or more than two, "multiple" includes two or more than two, "each" refers to each of the corresponding multiples, and "any" refers to any one of the multiples. For example, multiple clients include three clients, where "each client" refers to each of the three clients, and "any" refers to any one of the three clients, which could be the first, the second, or the third.

[0144] To facilitate understanding of the embodiments of this application, the keywords involved in the embodiments of this application will be explained first:

[0145] Login credentials: After logging into the management client based on the user identifier, the management server corresponding to the management client generates an encrypted string for that user identifier, which represents the login authorization information of that user identifier. The login authorization information includes user information and authorization validity period. This login credential is encrypted and stored in the management client.

[0146] Network request credentials: Authorization information issued by the management server for network requests, used to identify the authorization status of the network request.

[0147] Sensitive information includes user ID, login password, login credentials, and network request credentials.

[0148] Zero-trust access control policy: This consists of trusted processes (clients) and the business sites where accessible resources reside. With authorized permissions, any resource can be accessed through any trusted process. The granularity of a zero-trust access control policy is at the logged-in user level, allowing different zero-trust policies to be formulated for different logged-in users.

[0149] Access Gateway (Zero Trust Gateway): Deployed at the entry point of clients and resources, responsible for verifying and forwarding every access request to resources.

[0150] Access Proxy: A terminal access proxy is a terminal agent deployed on a terminal to initiate secure access. It is responsible for initiating requests for trusted authentication of the access subject, establishing encrypted access connections with the access gateway, and also serves as the enforcement point for access control policies.

[0151] Direct access: In a zero-trust network access architecture, when a client initiates a resource access request, the full traffic proxy intercepts the traffic and then initiates a resource access to the business site where the resource is located through the full traffic proxy. This is called a direct connection access. The full traffic proxy then sends the response from the business site to the client. This access mode is called direct access.

[0152] Proxy access: In a zero-trust network access architecture, when a client initiates a resource access request, the full traffic proxy intercepts the traffic and then forwards it to the access gateway. The access gateway then initiates resource access to the business site where the resource is located. The access gateway then sends the response from the business site to the full traffic proxy, which forwards the response to the client. This access mode is called proxy access.

[0153] Accessing entity: The party initiating the access. For example, the person, device, application, process, and service accessing the resource are digital entities formed by a single or combined element such as person, device, application, process, and service.

[0154] Accessed object: The party being accessed. For example, the application, system (development and testing environment, operation and maintenance environment, production environment, etc.), data, interface, function, etc. being accessed.

[0155] White-box cryptography: White-box cryptography is a cryptographic technique that can resist white-box attacks. From an implementation perspective, white-box cryptography is divided into two categories: static white-box and dynamic white-box. Static white-box: The algorithm's key is bound and obfuscated with the specified encryption algorithm to generate a key white-box. One key corresponds to one key white-box, which exists in file format and needs to be integrated into the project and compiled into a binary file during application development.

[0156] Policy: A set of rules issued by the administrator through the management terminal for terminal management. Policies include patch fixing, zero-trust network control, security hardening policies, etc. Policies include information such as tickets, validity periods, and number of valid uses.

[0157] Network session: The process of a user interacting with a business system once, such as the process of a client sending or receiving resources after establishing a network connection with a server. A network session includes the establishment and termination of a connection, or the sending and receiving of resources.

[0158] Access session: Based on network sessions and containing a set of related characteristics. An access session is an abstract concept that binds the network session for each accessed resource (including business applications, core systems, asset data, functional interfaces, etc.) with a combination of device, personnel, network attributes, process attributes, and endpoint attributes.

[0159] Figure 1 This is a schematic diagram of a resource access system provided in an embodiment of this application. See also... Figure 1 The resource access system includes a terminal 101 and a management server 102. The terminal 101 and the server 102 are connected via a wireless or wired network.

[0160] Terminal 101 is equipped with a management client provided by management server 102, as well as other clients different from the management client. Terminal 101 can initiate resource access through other clients and control resource access to other clients through the management client. Optionally, terminal 101 can be a computer, mobile phone, tablet, vehicle terminal, or other terminal. Optionally, the management client is a client provided by a third party. Optionally, management server 102 can be an independent physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.

[0161] In one possible implementation, terminal 101 logs into the management client based on a user identifier. When it intercepts resource access requests sent by other clients, the management client verifies the current status information of terminal 101. If the status information verification is successful, the management client then verifies the resource access requests initiated by other clients. Optionally, the management client sends an authentication request for the resource access request to the management server 102. The server 102 verifies the authentication request and returns the verification result to terminal 101, allowing terminal 101 to determine whether the resource access request has been successfully verified. If the resource access request has been successfully verified, the terminal accesses the resource based on the request.

[0162] In one possible implementation, Figure 2 This is a schematic diagram of another resource access system provided in an embodiment of this application. See also... Figure 2 The resource access system also includes a cloud server 103. The cloud server 103 is connected to the management server 102 via a wireless or wired network.

[0163] Optionally, the authentication request carries first process information, which corresponds to the process identifier carried in the resource access request and is obtained from the client that sent the resource access request. When the management server 102 verifies the authentication request, that is, verifies the first process information, if the management server 102 does not store process information corresponding to the first process information, it needs to send the authentication request to the cloud server 103 that stores the latest process information. The cloud server 103 verifies the first process information and sends the verification result to the management server 102. The management server 102 then sends the verification result to the terminal 101.

[0164] In one possible implementation, Figure 3 This is a schematic diagram of another resource access system provided in an embodiment of this application. See also... Figure 3 The resource access system also includes an access gateway 104. If the resource access request is successfully verified, the terminal 101 accesses the resource through the access gateway 104.

[0165] Optionally, a connection is first established between the access gateway 104 and the terminal 101. Then, the terminal 101 sends a resource access request to the access gateway 104 based on the established connection, and the access gateway 104 performs resource access based on the resource access request.

[0166] In one possible implementation, the resource access system includes a terminal 101, a management server 102, a cloud server 103, and an access gateway 104.

[0167] In one possible implementation, for any of the above-mentioned resource access systems, the resource access system also includes a business server for storing resources.

[0168] Figure 4 This is a flowchart illustrating a resource access method provided in an embodiment of this application. The execution subject in this embodiment is a terminal. See also... Figure 4 The method includes the following steps:

[0169] 401. The terminal intercepts the resource access request sent by the first client based on the first access control information.

[0170] Before initiating a resource access request, the terminal has configured first access control information. This first access control information instructs the terminal to intercept the resource access request and perform a verification operation if any client in the terminal sends a resource access request. When the first client initiates a resource access request, the terminal intercepts the resource access request based on the instructions of the first access control information, and then verifies the resource access request based on the verification operation indicated by the first access control information.

[0171] The first client is any client installed on the terminal that can initiate resource access, such as a video client, browser, music client, game client, or other type of client; the resource access request is a request to access any resource, or a resource access request is a request to access a specific type of resource.

[0172] 402. The terminal verifies the current status information.

[0173] After intercepting a resource access request, the terminal obtains its current status information and verifies it to determine whether the terminal is currently capable of accessing the resource. This status information includes network information corresponding to the network the terminal is connected to, the resource type requested in the resource access request, and client information for each client installed on the terminal.

[0174] In this context, successful status information verification indicates that the terminal is currently secure and can access resources; failure to verify status information indicates that the terminal is currently insecure and cannot access resources.

[0175] 403. If the status information verification is successful, the terminal verifies the resource access request based on the first access control information.

[0176] After the terminal has successfully verified its status information and determined that it is currently secure, it still needs to verify resource access requests. Optionally, the terminal can verify the resource access requests, or the terminal and the management client can jointly verify the resource access requests.

[0177] 404. If the resource access request is verified, the terminal will access the resource based on the resource access request.

[0178] If the resource access request is verified, it means that the resource access request can be used to access the resource. Therefore, if the resource access request is verified, the resource access is performed based on the resource access request.

[0179] The method provided in this application, in order to ensure the security of the terminal during resource access, first verifies the current state information of the terminal. Then, if the state information verification passes, i.e., if the terminal is currently secure, it verifies the resource access request based on the first access control information. Resource access is then granted only if the resource access request verification passes. Combining the verification of state information and the verification of the resource access request not only increases the amount of verification information but also, because it uses the terminal's current state information, enables real-time verification of the terminal, thus making the verification process more comprehensive and improving the security of resource access.

[0180] Figure 5 This is a flowchart illustrating a resource access method provided in an embodiment of this application. The execution entity in this embodiment is a management server. See also... Figure 5 The method includes the following steps:

[0181] 501. The management server receives authentication requests sent by the terminal through the management client.

[0182] The authentication request carries first process information, which corresponds to the process identifier carried in the resource access request intercepted by the management client. This first process information is obtained from the first client that sent the resource access request, and it indicates the process in the first client that requested resource access. In other words, the terminal, through the management client, obtains the first process information corresponding to the process identifier carried in the resource access request from the first client that sent the request, and then sends an authentication request carrying this first process information to the management server.

[0183] 502. The management server verifies the authentication request based on the second access control information and returns the verification result of the authentication request to the terminal.

[0184] The management server pre-configures a second access control information, which instructs the execution of a verification operation upon receiving an authentication request. Upon receiving the authentication request, the management server verifies the request based on the verification operation indicated by the second access control information, obtaining a verification result indicating whether the resource access request has been successfully verified. The terminal receives the verification result from the management server and, if the result indicates that the resource access request has been successfully verified, accesses the resource based on the request.

[0185] The management server verifies the authentication request by verifying the first process information carried in the authentication request. If the first process information matches the standard process information corresponding to the process identifier, the authentication request is deemed to have passed the verification.

[0186] The method provided in this application embodiment involves a management server verifying resource access requests initiated by a client in a terminal. The management server then sends the verification result to the terminal, which then accesses the resource. Through the interaction between the terminal and the management server, the verification of resource access requests is achieved. This verification method distributes the verification process across different devices, making the verification process more flexible.

[0187] Figure 6 This is a flowchart illustrating a resource access method provided in an embodiment of this application. The execution entity in this embodiment is an access gateway. See also... Figure 6 The method includes the following steps:

[0188] 601. Access gateway receives network requests sent by terminals, which carry authentication credentials sent by the management server to the terminals.

[0189] Among them, the network request is sent by the terminal after the management server has verified the terminal's resource access request. The verification credential indicates that the resource access request has been verified. The network request is used to request the access gateway to establish a connection with the terminal.

[0190] 602. The access gateway sends a verification request carrying verification credentials to the management server based on third-party access control information.

[0191] The access gateway is pre-configured with third access control information, which instructs that an authentication operation be performed upon receiving a network request.

[0192] The access gateway first needs to verify whether the resource access request has been verified by the management server. Only after confirming that the resource access request has been verified by the management server does it establish a connection between the access gateway and the terminal. Therefore, after receiving a network request, the access gateway sends a verification request to the management server based on the verification operation indicated by the third-party access control information. The management server then verifies the verification credentials, specifically whether the credentials were issued by the management server, and sends the verification result back to the access gateway.

[0193] 603. Once the management server verifies the authentication credentials, the access gateway establishes a connection with the terminal. This connection is used by the terminal to send resource access requests.

[0194] Once the management server verifies the authentication credentials, i.e., confirms that the authentication credentials were issued by the management server, the access gateway establishes a connection between the access gateway and the terminal. The terminal can then use this connection to send resource access requests to access resources.

[0195] The method provided in this application embodiment allows a terminal to access resources through an access gateway. The access gateway interacts with a management server, enabling the management server to verify the authentication credentials. Only when the authentication credentials are successfully verified can a connection be established for resource access. This avoids the access gateway establishing a connection based on invalid authentication credentials. The management server's verification of authentication credentials makes the verification process more complete, thereby improving the security of resource access.

[0196] The above Figure 4 , 5 Sections 6 and 6 respectively introduced the resource access process using terminals, management servers, and access gateways as the main execution entities. The following section provides a detailed explanation of the interaction process between various devices.

[0197] The first access control information, the second access control information, and the third access control information in this embodiment are configured by the management terminal. Before introducing the resource access process, the configuration of each access control information will be explained first.

[0198] For example, see Figure 7 The gateway configuration interface 701 shown allows you to configure trusted gateways, including the gateway name, gateway settings, and the IP (Internet Protocol) range that can be accessed preferentially. Specifically, you can search for configured gateways by entering the gateway name in the gateway query field; add a new gateway by triggering the add gateway control; and select and delete multiple configured gateways by triggering the batch delete control.

[0199] See Figure 8 The policy management interface 801 shown allows you to configure trusted clients and the URLs (Uniform Resource Locators) corresponding to resources in the business system that the trusted clients can access. Figure 8 The example used is any client installed on a Windows system that is considered a trusted client and can access resources corresponding to any address in the business system.

[0200] See Figure 9 The business system configuration interface 901 shown allows you to configure the address of the business system, the IP address of the business system, and the port that can be accessed.

[0201] See Figure 10 The resource configuration interface 1001 shown allows users to set the resource name, resource category, port corresponding to the resource in the business system, group to which the resource belongs, access method (direct access and proxy access), and protocol type of each resource.

[0202] See Figure 11 The other business system configuration interface 1101 shown allows you to configure the address of the business system, the domain name of the business system, and the port of the business system.

[0203] See Figure 12 Another gateway configuration interface 1201 is shown. This gateway configuration interface 1201 can be used to configure gateways that can access business systems. Multiple different gateways can be configured for a business system, and different priorities of the gateways can be set. Gateways with higher priorities can access business systems first.

[0204] See Figure 13 The trusted client configuration interface 1301 shown allows configuration of a trusted client, including client name, process name, operating system, client signature information, version, process MD5 (Message Digest Algorithm 5), and SHA256 information.

[0205] In this embodiment, the mapping relationship between the access subject, access object, and access permissions, as well as network attribute information, are configured through the aforementioned interfaces. The access subject represents the client requesting resource access, the access object represents the resource to be accessed, the access permission mapping relationship indicates that access to a resource is permitted based on a specific user identifier and through a specific client, and the network attribute information includes network information permitted for resource access, the access protocol used for resource access, the access domain name, the network request method, and the request path. For example, taking an enterprise resource (business system) as the access object, the access subject is the user information and client information of an authorized user accessing the enterprise resource through the zero-trust network access function (a function possessed by the management client), the access permission mapping relationship allows access to the enterprise resource through client B based on user identifier A, and the access permission refers to the access subject's read and operation permissions for the access object.

[0206] It should be noted that the embodiments of this application are only illustrated by configuring various access control information through the above interface. In another embodiment, access control information can also be configured through other interfaces, such as configuring user identifiers that can access the business system. The embodiments of this application do not limit the configuration method of access control information or the specific content of access control information.

[0207] In one possible implementation, the management terminal has a management client installed, and the administrator logs in to the management client based on the administrator's identifier, and then configures access control information based on the logged-in administrator's identifier.

[0208] In this embodiment of the application, after the management terminal configures the first access control information, the second access control information, and the third access control information, it sends each access control information to the terminal, the management server, and the access gateway respectively, according to the device to which each access control information applies, so that the terminal, the management server, and the access gateway can control resource access based on the received access control information.

[0209] Figure 14 This is a flowchart illustrating a resource access method provided in an embodiment of this application. The interaction entities in this embodiment are a terminal, a management server, and an access gateway. See also... Figure 14 The method includes the following steps:

[0210] 1401. The terminal, through the management client, intercepts the resource access request sent by the first client based on the first access control information.

[0211] The terminal has a management client and a first client installed. The management client is different from the first client, which is any client in the terminal other than the management client. The management client is used to perform resource access control on the clients in the terminal. The management client stores first access control information, which instructs that if any client in the terminal sends a resource access request, the resource access request should be intercepted.

[0212] In this embodiment of the application, the terminal triggers resource access through the first client, generates a resource access request, and sends the resource access request. When the terminal detects the resource access request sent by the first client through the management client, it intercepts the resource access request based on the first access control information.

[0213] In one possible implementation, the first access control information includes an interception mode, which indicates that if any client in the terminal sends a resource access request, the resource access request should be intercepted based on the interception mode. The interception mode includes a first interception mode and a second interception mode. The first interception mode indicates that a resource access request sent by any client in the terminal to access any resource should be intercepted, and the second interception mode indicates that a resource access request sent by any client in the terminal to access a non-public resource should be intercepted.

[0214] The management client determines which interception mode it is currently in based on the interception modes included in the first access control information. Then, the terminal intercepts the corresponding resource access requests based on the interception mode in which the management client is in. The terminal intercepts resource access requests when the management client is in the first interception mode.

[0215] Alternatively, if the terminal is in the second interception mode on the management client and the target address carried in the resource access request belongs to the first address set, the resource access request will be intercepted. That is, when the management client is in the second interception mode, it needs to first determine whether the resource requested in the resource access request is a non-public resource. If it is a non-public resource, the resource access request will be intercepted; otherwise, it will not be intercepted, and the terminal can directly access the resource based on the resource access request without executing subsequent steps. Here, the target address is the address corresponding to the resource to be accessed. The first address set includes addresses of non-public resources, which refer to resources that can be accessed by logging in with a user ID with access permissions. For example, if a non-public resource is a company's resource, the administrator sets access permissions for the user IDs corresponding to the company's employees. Users logging in with user IDs with access permissions can access the company's resource. For example, the target address could be an IP address or a domain name.

[0216] In one possible implementation, the management client includes a first sub-client, which intercepts resource access requests based on first access control information. Optionally, the terminal intercepts resource access requests when the first sub-client is in a first interception mode; or, the terminal intercepts resource access requests when the first sub-client is in a second interception mode and the target address carried by the resource access request belongs to a first address set.

[0217] In one possible implementation, the resource access request carries a source IP address or domain name, a source port, a destination IP address or domain name, a destination port, and a process identifier that indicates the process requesting the resource access.

[0218] 1402. The terminal verifies the current status information of the terminal.

[0219] In this embodiment, considering that the resources accessed by the terminal change in real time, the requested resources may differ at different times, the network connected to the terminal may change with the terminal's environment, and the client installed on the terminal may also change, it is necessary to verify the terminal's current state information to ensure its security.

[0220] In one possible implementation, the status information includes network information corresponding to the network currently connected to the terminal. This network information may include the network IP address, network type, and network name of the physical network interface card (NIC). The terminal obtains the network information corresponding to the currently connected network; if this network information matches the target network information, the status information verification is successful, and the target network information is confirmed to be from a secure network. Here, matching the network information with the target network information means that the network IP addresses are the same.

[0221] Optionally, the status information also includes the user identifier of the login management client. If the network information does not match the target network information, the user identifier is verified. If the user identifier verification is successful, the status information verification is considered successful. That is, even if the network information does not match the target network information, meaning the network the terminal is connected to has changed, verifying the user identifier and confirming its authorization to access resources still indicates that the user identifier has the necessary permissions, and the status information verification is considered successful. This embodiment of the application, by verifying both network information and the user identifier, can identify whether the user identifier is logging in from a different location. If a different location login is detected, based on the user identifier verification, if it is determined that the user identifier has the necessary permissions to access resources, the status information verification is considered successful, allowing the resource access process to continue. This verification method ensures access security while being more flexible, not limited to situations where network information and target network information match before resource access can proceed.

[0222] In one possible implementation, the status information includes the resource type of the resource requested in the resource access request. The terminal obtains the resource type of the resource requested in the resource access request. If the resource type is a public resource, the terminal determines that the status information verification is successful. Here, a public resource is a resource that can be accessed by a client with any logged-in user ID. That is, when the terminal identifies the requested resource as a public resource, it determines that the resource can be accessed based on any user ID, therefore further verification of the user ID is required. A public resource is a resource that can be accessed based on any user ID. For example, a public resource is a resource publicly available on the network.

[0223] Optionally, the status information also includes the user identifier of the login management client. When the resource type is a non-public resource type, the user identifier is verified. If the user identifier verification is successful, the status information verification is considered successful. That is, even though the resource to be accessed is a non-public resource type, the user identifier is verified. If the user identifier verification is successful, it indicates that the user identifier has the permission to access the resource, and the status information verification is still considered successful. This embodiment of the application verifies both the resource type and the user identifier. By identifying whether the user identifier has the permission to access the resource, and determining that the user identifier has the permission to access the resource, the status information verification is considered successful, allowing the resource access process to continue. This verification method, by verifying the user identifier when it is determined that the resource to be accessed is a non-public resource type, improves the security of resource access.

[0224] For example, resources that are not public resources include user information such as user identifiers and login passwords, sensitive information such as login credentials and network request credentials, and also enterprise resources of a particular company.

[0225] Optionally, the terminal parses the resource access request to obtain the target address carried in the resource access request, and obtains the resource type to which the resource corresponding to the target address belongs based on the target address. For example, the resource type can be determined based on the fields in the target address, or based on the correspondence between the address and the resource type. This application embodiment does not limit the method of determining the resource type.

[0226] In one possible implementation, the user identifier verification includes: if the user identifier belongs to a target identifier set, determining that the user identifier verification is successful, wherein the user identifiers included in the target identifier set have the permission to access resources. Optionally, the target identifier set includes a first identifier set and a second identifier set. If the network information does not match the target network information, determining whether the user identifier belongs to the first identifier set; if the resource type is a non-public resource type, determining whether the user identifier belongs to the second identifier set. The user identifiers included in the first identifier set and the second identifier set may be the same or not completely identical. Optionally, the first identifier set or the second identifier set may also include multiple subsets, and the user identifiers included in different subsets have different time periods for resource access. Therefore, when verifying a user identifier, it is also necessary to verify whether the current time belongs to the time period during which the user identifier is allowed to access resources. For example, if a user identifier is allowed to access resources from 8:00 to 18:00, and the current time is 20:00, then it is determined that the user identifier verification has failed.

[0227] In one possible implementation, the status information includes client information for each client installed on the terminal. This client information is descriptive, such as the MD5 hash of the executable file corresponding to the client, file version information, copyright information, file description, product information, product name, signature information, root certificate, intermediate certificate, and signing certificate. The terminal obtains the current client information for each installed client, verifies each client's information, and determines that each client's information verification is successful (i.e., status information verification is successful) if each client's information matches its corresponding target client information; otherwise, it determines that each client's information verification is unsuccessful (i.e., status information verification is unsuccessful).

[0228] Optionally, if the terminal stores target client information for each client, the terminal directly matches the client information with the corresponding target client information. Alternatively, the terminal sends the client information of each client to the server corresponding to that client. The server stores the target client information for each client, matches the client information with the target client information, and then returns the matching result to the terminal.

[0229] In one possible implementation, client information verification also includes virus scanning, vulnerability patching, security hardening, data protection, real-time protection, and heartbeat detection. Only after all of these verifications pass will subsequent resource access be allowed. If an anomaly exists that cannot be automatically fixed and requires manual repair by the user, a prompt interface will be displayed, indicating the cause of the anomaly and providing repair suggestions. Resource access will be prohibited until the user repairs the anomaly.

[0230] In one possible implementation, the terminal verifies its current state information through a management client, and the verification process for the state information is executed by the management client.

[0231] For example, see Figure 15 The login interface 1501 in the management client shown displays the following information when the user logs in to the management client based on their identifier, and the network information corresponding to the network currently connected to the terminal matches the target network information. Figure 16 The first display interface 1601 shown includes prompts indicating that the user has connected to a secure network and can access resources. Alternatively, it may display information such as... Figure 16 The second display interface 1602 shown includes prompts that inform the user of the clients on the current terminal that can access resources.

[0232] Furthermore, the terminal's status information can be verified through the management client, for example, see [link to relevant documentation]. Figure 17 The verification interface 1701 shown verifies status information, such as whether each client is secure and whether any running processes are violating regulations. If a violation is detected in a process, the following will be displayed: Figure 18 The prompt interface 1801 shown indicates to the user that a process is currently violating regulations. The management client can then automatically repair the violating process, or the user can manually repair it. Upon successful repair, the following will be displayed: Figure 19 The detection interface shown is 1901. If the repair fails, it will display as follows: Figure 20 The displayed prompt interface 2001 indicates that the user's current status information verification failed and access to resources is unavailable.

[0233] It should be noted that the embodiments in this application are only used as an example to illustrate the verification process of status information after intercepting the resource access request. In another embodiment, the terminal can periodically verify the status information of the terminal through the management client.

[0234] The above-mentioned verification methods for status information can be executed individually or in combination. That is, at least two of the above three verification methods are used to verify the status information. If both verification methods pass, the status information is determined to be verified successfully. If any one of the at least two verification methods fails, the status information is determined to be verified unsuccessfully.

[0235] In one possible implementation, the terminal includes a terminal environment awareness module, which can obtain the terminal's status information. For enterprise resource access scenarios, the management client includes an enterprise resource security policy service. After obtaining the status information, the terminal sends it to the enterprise resource security policy service, which then adjusts the access rules for the business system.

[0236] In this embodiment, by verifying the current status information of the terminal, dynamic evaluation of resource access requests is achieved, that is, the status information is detected in real time to ensure that the terminal is secure and to ensure the effective implementation of the subsequent verification process for resource access requests.

[0237] 1403. When the status information verification is successful, the terminal verifies the first process information corresponding to the process identifier carried in the resource access request based on the first access control information.

[0238] The first access control information indicates the verification operation for the intercepted resource access request. The resource access request carries a process identifier, which indicates the process requesting resource access.

[0239] In one possible implementation, considering that the terminal's state information may change, to avoid the situation where the state information changes after verification, making it uncertain whether the changed state information will pass verification (i.e., the terminal cannot be guaranteed to be secure after the state information changes), the terminal verifies the first process information based on the first access control information within a target duration after the state information verification is successful. The target duration can be any duration, such as 30 seconds, 1 minute, or any other duration.

[0240] In one possible implementation, after the status information verification is successful, the terminal obtains the first process information corresponding to the process identifier from the first client based on the process identifier. This first process information is the current actual process information in the first client. The terminal also obtains the second process information corresponding to the process identifier from the management client based on the process identifier. This second process information is the process information stored by the management client. Then, it is determined whether the first process information and the second process information match. If the first process information and the second process information match, it means that the current first process information of the first client is accurate and can execute the subsequent resource access process. If the first process information and the second process information do not match, it means that the current first process information of the first client may have been tampered with, that is, the first client is not a secure client. In order to ensure the security of access, the subsequent resource access process will not be executed.

[0241] Optionally, the first process information includes MD5, process path, process last modified time, copyright information, and signature information. Matching the first process information with the second process information means that all information in the first process information is identical to all information in the second process information. If any information differs, then the first process information and the second process information are determined to be mismatched.

[0242] In another possible implementation, if the management client does not store the process information corresponding to the process identifier, the terminal cannot verify the first process information, and the management client needs to verify the first process information.

[0243] It should be noted that the embodiments in this application are only illustrated with the example of successful status information verification. In another embodiment, if the status information verification fails, the terminal deletes the resource access request and no longer accesses resources based on the resource access request.

[0244] 1404. If the first process information meets the conditions, the terminal sends an authentication request carrying the first process information to the management server based on the first access control information.

[0245] The "first process information meets the condition" means that the first process information matches the second process information, or that the management client does not store process information corresponding to the process identifier. The authentication request is used to request the management server to verify the first process information. The first access control information indicates the verification operation to be performed when the first process information meets the condition.

[0246] In this embodiment, when the first process information matches the second process information, to prevent the second process information stored in the management client from being inaccurate due to outdated information, a matching of the first and second process information does not guarantee that the first process information is accurate. Therefore, an authentication request is sent to the management server for secondary verification of the first process information, which improves the accuracy of the verification results and thus enhances the security of resource access. In cases where the management client does not store process information corresponding to the process identifier, the terminal cannot verify the accuracy of the first process information; therefore, the management server is required to verify the first process information.

[0247] 1405. The management server verifies the authentication request based on the second access control information and sends the verification result of the authentication request to the terminal.

[0248] The second access control information indicates that a verification operation should be performed upon receiving an authentication request. The verification result of the authentication request indicates whether the resource access request has been successfully verified, and the authentication request carries a process identifier and first process information.

[0249] In one possible implementation, the management server retrieves the stored third process information corresponding to the process identifier based on the process identifier, and then matches the first process information with the third process information. If the first process information matches the third process information, the authentication request is deemed successful, i.e., the resource access request is successfully verified, and the management server issues a verification credential to the terminal. If the first process information does not match the third process information, the authentication request is deemed unsuccessful, i.e., the resource access request is unsuccessful, and the management server sends a verification failure notification to the terminal. After receiving the verification failure notification, the terminal stops executing the subsequent resource access process.

[0250] Optionally, the first process information includes MD5, process path, process last modified time, copyright information, and signature information. Matching the first process information with the third process information means that all information included in the first process information is identical to all information included in the third process information. If any one piece of information differs, then the first process information and the third process information are determined to be mismatched.

[0251] Optionally, the verification credential includes a verification pass notification, a maximum number of uses, and a validity period. The verification pass notification indicates that the resource access request has been verified; the maximum number of uses refers to the number of times the resource access request will be performed; and the validity period refers to the time during which the verification credential will be used.

[0252] In another possible implementation, if the local device does not store process information corresponding to the process identifier, the management server sends an authentication request to the cloud server, which stores the latest process information. Upon receiving the authentication request, the cloud server verifies the first process information based on the request and returns the verification result of the first process information to the management server. Specifically, the cloud server's verification of the first process information includes: matching the first process information with the process information corresponding to the process identifier stored in the cloud server; if the first process information matches the process information corresponding to the process identifier stored in the cloud server, the verification of the first process information is deemed successful, and a notification of successful verification of the first process information is returned to the management server; if the first process information does not match the process information corresponding to the process identifier stored in the cloud server, the verification of the first process information is deemed unsuccessful, and a notification of unsuccessful verification of the first process information is returned to the management server.

[0253] When the management server receives a notification that the first process information verification has passed, it sends a verification credential to the terminal; when it receives a notification that the first process information verification has failed, it sends a notification that the verification has failed to the terminal.

[0254] Optionally, after verifying the first process information, the cloud server sends third process information to the management server. This third process information is the process information corresponding to the process identifier stored in the cloud server, and the management server stores the process identifier and the third process information in a corresponding manner. Optionally, to prevent other devices from tampering with the third process information, the third process information is stored in encrypted form. For example, white-box cryptography or other encryption methods can be used for encryption. This application embodiment does not limit the encryption method.

[0255] In one possible implementation, the management server verifies the first process information if the process identifier belongs to a set of process identifiers, where the set of process identifiers includes process identifiers corresponding to processes that are allowed to access resources.

[0256] In one possible implementation, after the management server completes the verification of the first process information, it sends the third process information corresponding to the process identifier stored in the management server to the management client. Upon receiving the third process information from the management server, the management client updates the second process information based on the third process information if it already stores the second process information corresponding to the process identifier; or, if the management client does not store the process information corresponding to the process identifier, it stores the third process information as the second process information corresponding to the process identifier in the management client. Optionally, the management client encrypts and stores the second process information.

[0257] In another possible implementation, to ensure the accuracy of the third-party process information stored in the management client, the management server periodically initiates asynchronous detection requests to the cloud server. These requests carry the third-party process information and its corresponding process identifier. The cloud server, based on the process information stored on its local device, determines whether the received third-party process information is up-to-date. If it determines that the information is not up-to-date, it sends the latest third-party process information corresponding to the process identifier to the management server. The management server then updates its original third-party process information based on this updated information. Optionally, after updating the third-party process information, the management server sends the updated information to the management client, enabling the client to update the second-party process information corresponding to the process identifier based on this updated information, thus ensuring that the second-party process information stored in the management client is up-to-date.

[0258] It should be noted that this embodiment only illustrates the example of an authentication request carrying first process information and a process identifier. In another embodiment, the authentication request also carries a source address, a source port, a target address, and a target port. The management server then needs to determine, based on the target mapping relationship, whether the resource corresponding to the target address and target port can be accessed through the source address and source port. The target mapping relationship includes the correspondence between the source address and source port requesting resource access and the target address and target port corresponding to the accessible resource. If a correspondence exists between the source address and source port and the target address and target port, it is determined that resource access can be performed through the resource access request.

[0259] 1406. The terminal receives the verification result returned by the management server. If the verification result indicates that the resource access request has been verified, the terminal sends a network request carrying the verification credentials to the access gateway through the management client.

[0260] Once the terminal receives the verification credentials, it determines that the resource access request has been successfully verified, and can then continue the resource access process. This embodiment of the application takes resource access via an access gateway as an example. When accessing via an access gateway, a connection needs to be established between the terminal and the access gateway first. Therefore, the management client sends a network request carrying the verification credentials to the access gateway.

[0261] It should be noted that the embodiments in this application are only illustrated with the example of a resource access request being verified successfully. In another embodiment, if the verification result indicates that the resource access request has failed, the resource access request is deleted and no further resource access process is executed. Simultaneously, the target process corresponding to the process identifier performs subsequent resource access, and the target process is either cleared or its process identifier is added to a blacklist. The blacklist includes processes corresponding to process identifiers that are prohibited from accessing resources.

[0262] Another point to note is that the embodiments in this application are only illustrated by taking resource access through an access gateway as an example. In another embodiment, the management client can directly send the resource access request to the corresponding business server for resource access, that is, perform direct access.

[0263] 1407. The access gateway receives a network request and, based on third-party access control information, sends a verification request carrying verification credentials to the management server.

[0264] The third access control information indicates that a verification operation should be performed upon receiving a network request. To ensure the authenticity of the verification credentials, the access gateway, upon receiving the network request, sends a verification request carrying the verification credentials to the management server, requesting the management server to verify the authenticity of the verification credentials.

[0265] In one possible implementation, after receiving a network request, the access gateway parses the network request and obtains the verification ticket from the header fields of the network request.

[0266] 1408. The management server receives the verification request, verifies the verification credentials, and returns the verification result of the verification credentials to the access gateway.

[0267] After receiving the verification request, the management server verifies the verification credential to determine whether it was issued by the management server. If it is determined that the verification credential was issued by the management server, the verification is deemed successful, and a verification success notification is sent to the access gateway. If it is determined that the verification credential was not issued by the management server, the verification is deemed unsuccessful, and a verification failure notification is sent to the access gateway.

[0268] In one possible implementation, if the verification credential passes, the management server increments the usage count corresponding to that credential by one and stores the usage count in the management server. The management server also needs to verify whether the current usage count of the credential has reached the maximum usage count. If the maximum usage count has not been reached, the verification credential is deemed to have passed; if the maximum usage count has been reached, the verification credential is deemed to have failed.

[0269] In one possible implementation, if the verification credential includes an expiration time, the management server verifies whether the verification credential has exceeded its usable expiration time. If it has not exceeded the usable expiration time, the verification credential is determined to be verified successfully; if it has exceeded the usable expiration time, the verification credential is determined to be verified unsuccessfully.

[0270] In one possible implementation, the second access control information further instructs that a verification operation be performed upon receiving a verification request. The management server verifies the verification credentials based on the second access control request. Optionally, the second access control information instructs that the authenticity of the verification credentials be verified, the number of times the verification credentials have been used be verified, and the validity period of the verification credentials be verified.

[0271] 1409. If the authentication credentials are verified, the access gateway establishes a connection between the access gateway and the terminal.

[0272] 1410. Based on the established connection, the terminal sends a resource access request to the access gateway.

[0273] Once the authentication credentials are verified, the access gateway establishes a connection between the access gateway and the terminal, enabling the terminal to send a resource access request to the access gateway through the established connection.

[0274] In one possible implementation, the access gateway establishes a connection between itself and the management client, and the management client sends a resource access request to the access gateway based on the established connection.

[0275] In one possible implementation, the third access control information also instructs the verification of the resource access request format. Upon receiving a resource access request, the access gateway, based on the third access control information, determines whether the request format matches the target format. The target format indicates the format of the address and port carried in the request, the requested path, etc.

[0276] In one possible implementation, the third access control information also instructs the verification operation to be performed on the source IP address carried in the resource access request. The access gateway obtains the source IP address carried in the resource access request, verifies the source IP address, and executes the subsequent resource access process if the source IP address is verified.

[0277] Optionally, the access gateway verifies whether the source IP address is a legitimate IP address. For example, if the access gateway stores a blacklist of IP addresses, it determines whether the source IP address belongs to the blacklist. If the source IP address does not belong to the blacklist, the source IP address is deemed legitimate. Alternatively, if the access gateway stores a whitelist of IP addresses, it determines whether the source IP address belongs to the whitelist. If the source IP address belongs to the whitelist, the source IP address is deemed legitimate, i.e., the source IP address verification passes.

[0278] Optionally, the access gateway verifies whether the access frequency of the source IP address exceeds a first target threshold. If the access frequency exceeds the first target threshold, the verification of the source IP address is deemed unsuccessful; otherwise, the verification of the source IP address is deemed successful. For example, it verifies whether the access volume of the source IP address exceeds the first target threshold, where the total access volume refers to the total number of resource accesses based on the source IP address, and the first target threshold is any pre-set value. Alternatively, it verifies whether the access volume of the source IP address within a target duration exceeds the first target threshold, where the access volume within the target duration refers to the total number of resource accesses based on the source IP address within the target duration, where the target duration refers to a period of time between the current point in time, such as 1 hour, 1 day, or other durations prior to the current point in time, and the first target threshold is any pre-set value. Or, it verifies whether the access volume of the source IP address within a target time period exceeds... The first target threshold is exceeded, where the number of accesses within the target time period refers to the total number of resource accesses based on the source IP address within that target time period. The target time period refers to a pre-set time period, and the first target threshold can be different for different time periods. For example, if the target time period is 8:00-18:00, the first target threshold is 100 times within this time period; if the target time period is 18:00-22:00, the first target threshold is 10 times within this time period; and if the target time period is 22:00-6:00, the first target threshold is 5 times within this time period.

[0279] In one possible implementation, the third access control information also instructs the execution of a verification operation on the resource access path carried in the resource access request. The access gateway obtains the resource access path carried in the resource access request, verifies the resource access path, and executes the subsequent resource access process if the resource access path verification is successful.

[0280] Optionally, the access gateway verifies whether the resource corresponding to the resource access path is an accessible resource. For example, the access gateway stores a first set of paths corresponding to accessible resources. If the resource access path belongs to the first set of paths, the access path is verified as valid, and resource access can then be performed based on the access path. If the resource access path does not belong to the first set of paths, the access path is verified as invalid, and subsequent resource access procedures are not performed. Alternatively, the access gateway stores a second set of paths corresponding to inaccessible resources. If the resource access path does not belong to the second set of paths, the access path is verified as valid, and resource access can then be performed based on the access path. If the resource access path belongs to the second set of paths, the access path is verified as invalid, and subsequent resource access procedures are not performed.

[0281] Optionally, if the resource access path verification passes, the system will further verify whether the access frequency of the resource corresponding to the resource access path exceeds a second target threshold. If the access frequency exceeds the second target threshold, it is determined that access to the resource corresponding to the resource access path can no longer be granted; if the access frequency does not exceed the second target threshold, it is determined that access to the resource corresponding to the resource access path can continue. For example, it verifies whether the number of accesses to the resource corresponding to the resource access path within a target duration exceeds the second target threshold. The number of accesses to the resource corresponding to the resource access path within the target duration refers to the total number of requests to access the resource corresponding to the resource access path within the target duration. The target duration refers to a period of time between the current point in time, such as 1 hour, 1 day, or other durations before the current point in time. The first target threshold is any pre-set value. Further, the resource access request carries the source IP address, and it verifies whether the number of accesses to the resource corresponding to the resource access path based on the source IP address within the target duration exceeds the second target threshold.

[0282] Optionally, the access gateway sets different second target thresholds for different time periods. For example, if the target time period is 8:00-12:00, and the second target threshold is 500 accesses within this period, then it verifies whether the number of accesses to the resource corresponding to the access path exceeds 500 times within this period. If it exceeds 500 times, it determines that access to the resource is prohibited within the 8:00-12:00 period; if it does not exceed 500 times, it determines that access to the resource is permitted within the 8:00-12:00 period. Furthermore, for different source IP addresses, second target thresholds are set for different time periods.

[0283] It should be noted that the second target threshold for resources corresponding to different resource access paths can be the same or different.

[0284] Another point to note is that the embodiments of this application are only used as an example of the access gateway verifying the source IP address, the access frequency of the source IP address, and the resource access path. In another embodiment, the access gateway can also verify other information carried by the resource access request, which is not limited in this embodiment.

[0285] 1411. Access gateway sends resource access request to business server.

[0286] In one possible implementation, the access gateway determines the business server corresponding to the target address based on the target address carried in the resource access request, and sends the resource access request to the determined business server.

[0287] Based on the received resource access request, the business server sends the corresponding target resource to the access gateway, which then sends the target resource to the management client. The management client then forwards the target resource to the first client, thus completing the resource access for the first client.

[0288] Additionally, see Figure 21 The diagram illustrating the resource access method shows that the management client, management server, and access gateway act as providers of zero-trust network security services. The management client and access gateway provide a unified entry point for access subjects and access objects, enabling access subjects to request the management server to authenticate resource access requests through this unified entry point. If the resource access request is successfully verified, the actual resource access is then performed through the access gateway.

[0289] The method provided in this application, in order to ensure the security of the terminal during resource access, first verifies the current state information of the terminal. Then, if the state information verification passes, i.e., if the terminal is currently secure, it verifies the resource access request based on the first access control information. Resource access is then granted only if the resource access request verification passes. Combining the verification of state information and the verification of the resource access request not only increases the amount of verification information but also, because it uses the terminal's current state information, enables real-time verification of the terminal, thus making the verification process more comprehensive and improving the security of resource access.

[0290] Furthermore, in this embodiment, the terminal, management server, and access gateway have pre-configured access control information. During resource access, the terminal can also perform real-time verification of status information, i.e., generate real-time access control rules during resource access. By combining the pre-configured access control information and the real-time generated access control rules, the client's resource access is jointly controlled, enabling more precise access control and unified risk management measures, thereby improving resource access security and achieving more accurate control capabilities.

[0291] Furthermore, in this embodiment, the terminal, management server, and access gateway are all configured with corresponding access control information. Each of these components performs corresponding operations based on its own access control information, and the verification process for resource access requests is implemented through interaction between the terminal, management server, and access gateway. This device-to-device verification method avoids multiple verifications performed by a single device, thereby improving verification efficiency and resulting in faster resource access for the user. Moreover, when access control information changes, only the access control information in the corresponding device needs to be updated, rather than updating all access control information. This update method reduces the time it takes for access control information to take effect, avoiding delays, and allows for precise control of resource access without affecting established access. Furthermore, for established resource access requests, updating access control information can promptly interrupt the resource access through the terminal or access gateway.

[0292] In one possible implementation, the above Figure 14 The management client in the illustrated embodiment includes a first sub-client and a second sub-client. See also Figure 22 The flowchart shown illustrates the resource access method. The resource access process is as follows:

[0293] 1. The terminal intercepts the resource access request sent by the first client through the first sub-client. The resource access request carries a process identifier.

[0294] 2. The terminal sends the resource access request to the second sub-client through the first sub-client.

[0295] 3. After receiving the resource access request through the second sub-client, the terminal verifies the current status information of the terminal. If the status information verification is successful, the terminal obtains the first process information corresponding to the process identifier from the first client.

[0296] 4. The terminal sends an authentication request carrying the first process information to the management server through the second sub-client.

[0297] 5. After receiving the authentication request, the management server verifies the authentication request. If the authentication request is verified, the server sends the verification credentials to the second sub-client.

[0298] 6. After receiving the verification credential through the second sub-client, the terminal sends the verification credential to the first sub-client.

[0299] 7. After receiving the authentication credential through the first sub-client, the terminal sends a network request carrying the authentication credential to the access gateway.

[0300] 8. After receiving the network request, the access gateway sends a verification request carrying the verification credential to the management server.

[0301] 9. After receiving the verification request, the management server verifies the verification credentials. If the verification credentials pass the verification, the management server sends a verification success notification to the access gateway.

[0302] 10. After receiving the verification certificate verification notification, the access gateway establishes a connection between the access gateway and the first sub-client. The terminal then sends a resource access request to the access gateway through the first sub-client based on the established connection.

[0303] 11. After receiving a resource access request, the access gateway sends the resource access request to the corresponding business server.

[0304] 12. Based on the resource access request, the business server sends the corresponding target resource to the access gateway.

[0305] 13. The access gateway sends the received target resource to the first sub-client.

[0306] 14. The terminal sends the target resource to the first client through the first sub-client.

[0307] See Figure 22 In one possible implementation, the management server includes a policy center module, an inspection service module, and a ticket center module. The policy center module stores second access control information to indicate the verification operation to be performed. The inspection service module is used to interact with the cloud server. The ticket center is used to issue verification credentials to the terminal and to verify the verification credentials.

[0308] It should be noted that, Figure 21 The resource access process shown is the same as described above. Figure 14 The implementation method of the resource access process shown is similar and will not be described again here.

[0309] The resource access method provided in this application can be applied in various scenarios. This application takes the application in a remote office scenario as an example to illustrate the resource access method:

[0310] To ensure the security of accessing internal enterprise resources when users work remotely, the resource access method provided in this application is used to verify resource access requests. The resource access process is as follows: The user uses their own private terminal to log in to the management client in the terminal based on the user identifier. Then, through the management client, based on the first access control information, the resource access request sent by a certain client is intercepted. This resource access request is used to request access to internal company data. Then, the current status information of the terminal is verified to determine whether the current terminal is compliant, thereby determining whether it is possible to access internal company data through the terminal. If the verification result indicates that the terminal is compliant, the resource access request is verified again using the implementation methods of steps 1403-1411 above to access internal company data.

[0311] The embodiments of this application can also be applied to intelligent transportation scenarios. In intelligent transportation scenarios, the terminal in the embodiments of this application is an in-vehicle terminal. The resource access process in intelligent transportation scenarios will not be described in detail here.

[0312] Figure 23 This is a schematic diagram of the structure of a resource access device provided in an embodiment of this application. See also... Figure 23 The device includes:

[0313] The request interception module 2301 is used to intercept resource access requests sent by a first client based on first access control information. The first access control information indicates that the resource access request should be intercepted and a verification operation should be performed if any client in the terminal sends a resource access request.

[0314] The first verification module 2302 is used to verify the current status information of the terminal;

[0315] The second verification module 2303 is used to verify the resource access request based on the first access control information when the status information verification is successful.

[0316] The resource access module 2304 is used to access resources based on the resource access request if the resource access request is verified.

[0317] Optionally, the request interception module 2301 is used to intercept resource access requests through the management client based on the first access control information, and the management client is used to perform resource access control on the client in the terminal.

[0318] Optionally, the status information includes network information, and the first verification module 2302 includes:

[0319] The first verification unit is used to obtain network information corresponding to the network currently connected to the terminal;

[0320] The first verification unit is also used to determine, if the network information matches the target network information, that the status information verification has passed and the target network information is the network information corresponding to the secure network; or...

[0321] The status information also includes the user identifier of the login management client. The first verification unit is also used to verify the user identifier when the network information does not match the target network information. If the user identifier is verified, the status information verification is confirmed to be successful.

[0322] Optionally, the status information includes the resource type, and the first verification module 2302 includes:

[0323] The second verification unit is used to obtain the resource type of the resource requested by the resource access request;

[0324] The second verification unit is further configured to, when the resource type is a public resource, determine that the status information verification has passed, and that the resource belonging to the public resource type is a resource that allows access by clients that can log in with any user ID; or,

[0325] The status information also includes the user identifier of the login management client. The second verification unit is also used to verify the user identifier when the resource type is a non-public resource type. If the user identifier is verified, the status information verification is confirmed to be successful.

[0326] Optionally, the first verification module 2302 is used to determine that the user identifier has passed verification and that the user identifiers included in the target identifier set have the right to access resources if the user identifier belongs to the target identifier set.

[0327] Optionally, the status information includes client information for each client installed on the terminal, and the first verification module includes:

[0328] The third verification unit is used to obtain the current client information of each client installed on the terminal and verify the client information.

[0329] The second verification module 2303 is used to verify resource access requests based on the first access control information, provided that all client information has been verified successfully.

[0330] Optionally, the request interception module 2301 includes:

[0331] The first interception unit is configured to intercept resource access requests when the management client is in a first interception mode, wherein the first interception mode instructs to intercept resource access requests sent by any client in the terminal for accessing any resource; or,

[0332] The second interception unit is used to intercept resource access requests when the management client is in the second interception mode and the target address carried by the resource access request belongs to the first address set. The second interception mode indicates that any client in the terminal is intercepting resource access requests for accessing non-public resources. The first address set includes addresses of non-public resources.

[0333] Optionally, the resource access request carries a process identifier, which indicates the process requesting resource access. The first access control information indicates the verification operation of the process information corresponding to the process identifier. The second verification module is used for:

[0334] If the status information verification is successful, the first process information corresponding to the process identifier is obtained from the first client based on the process identifier;

[0335] Based on the process identifier, obtain the second process information corresponding to the process identifier from the management client;

[0336] If the first process information matches the second process information, an authentication request is sent to the management server corresponding to the management client. The authentication request carries the first process information. The management server uses the second access control information to verify the authentication request. The second access control information indicates that a verification operation is performed upon receiving the authentication request.

[0337] Receive the verification result returned by the management server.

[0338] Optionally, the second verification module 2303 is used for:

[0339] If the process information corresponding to the process identifier is not stored in the management client, an authentication request is sent to the management server.

[0340] Receive the verification result returned by the management server.

[0341] Optionally, the resource access module is used for:

[0342] If the resource access request passes verification, the management client sends the request to the business server, which then returns the target resource corresponding to the request; or...

[0343] If the resource access request is successfully verified, the resource access request is sent to the business server through the management client and the access gateway.

[0344] Optionally, the resource access module is used for:

[0345] The management client sends a network request to the access gateway. The network request carries the verification credentials sent to the terminal by the management server corresponding to the management client. The access gateway is used to send a verification request carrying the verification credentials to the management server based on the third access control information. The management server is used to verify the verification credentials and return the verification result to the access gateway. The access gateway is also used to establish a connection between the access gateway and the terminal if the verification credentials are verified successfully. The third access control information indicates that the verification operation should be performed when the verification request is received.

[0346] Based on the established connection, a resource access request is sent to the access gateway, which is used to send the resource access request to the business server.

[0347] Optionally, the second verification module is used for:

[0348] Within the target time period after the status information verification is successful, the resource access request is verified based on the first access control information.

[0349] Optionally, the device further includes:

[0350] The request deletion module is used to delete resource access requests if the status information verification fails.

[0351] Optionally, the device further includes:

[0352] The request deletion module is used to delete resource access requests if the resource access request fails to pass verification.

[0353] Optionally, the resource access request carries a process identifier, and the device further includes:

[0354] The process cleanup module is used to clean up the target process corresponding to the process identifier when the resource access request fails to be verified.

[0355] Optionally, the management client includes a first sub-client and a second sub-client;

[0356] The first sub-client is used to intercept resource access requests and forward resource access requests;

[0357] The second sub-client is used to verify status information and resource access requests.

[0358] The apparatus provided in this application, in order to ensure the security of the terminal during resource access, first verifies the current state information of the terminal. Then, if the state information verification passes, i.e., if the terminal is currently secure, it verifies the resource access request based on the first access control information. Resource access is then granted only if the resource access request verification passes. Combining the verification of state information and the verification of the resource access request not only increases the amount of verification information but also, because it uses the terminal's current state information, enables real-time verification of the terminal, thus making the verification process more complete and improving the security of resource access.

[0359] All of the above-mentioned optional technical solutions can be combined in any way to form the optional embodiments of this application, and will not be described in detail here.

[0360] It should be noted that the resource access device provided in the above embodiments is only illustrated by the division of the above functional modules when accessing resources. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the computer device can be divided into different functional modules to complete all or part of the functions described above. In addition, the resource access device and the resource access method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be repeated here.

[0361] Figure 24 This is a schematic diagram of the structure of a resource access device provided in an embodiment of this application. See also... Figure 24 The device includes:

[0362] The authentication request receiving module 2401 is used to receive the authentication request sent by the terminal through the management client. The authentication request carries first process information, which corresponds to the process identifier carried in the resource access request intercepted by the management client. It is obtained from the first client that sent the resource access request. The process identifier indicates the process in the first client that requests resource access.

[0363] The verification module 2402 is used to verify the authentication request based on the second access control information and return the verification result of the authentication request to the terminal. The terminal is used to receive the verification result and, if the verification result indicates that the resource access request has been verified, to access the resource based on the resource access request. The second access control information indicates that the verification operation is performed when the authentication request is received.

[0364] Optionally, the authentication request also carries a process identifier and a verification module, which is used to verify the first process information if the process identifier belongs to a set of process identifiers, the set of process identifiers including the process identifiers corresponding to processes that are allowed to access resources.

[0365] Optionally, the verification module 2402 is used for:

[0366] If the first process information matches the third process information, the verification of the first process information is deemed successful, and the third process information is the process information stored in the local device corresponding to the process identifier; or,

[0367] If the local device does not store process information corresponding to the process identifier, it sends an authentication request to the cloud server and receives the verification result of the first process information returned by the cloud server. The cloud server stores the latest process information, which is used to verify the first process information based on the authentication request.

[0368] Optionally, the device also includes:

[0369] The storage module is used to receive third-party process information sent by the cloud server;

[0370] The storage module is also used to store the process identifier and the corresponding information of the third process.

[0371] The apparatus provided in this application embodiment verifies the resource access request initiated by the client in the terminal through a management server. The management server sends the verification result to the terminal, and then the terminal accesses the resource. Through the interaction between the terminal and the management server, the verification of the resource access request is realized. This verification method distributes the verification process across different devices, thereby making the verification process more flexible.

[0372] All of the above-mentioned optional technical solutions can be combined in any way to form the optional embodiments of this application, and will not be described in detail here.

[0373] It should be noted that the resource access device provided in the above embodiments is only illustrated by the division of the above functional modules when accessing resources. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the computer device can be divided into different functional modules to complete all or part of the functions described above. In addition, the resource access device and the resource access method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be repeated here.

[0374] Figure 25 This is a schematic diagram of the structure of a resource access device provided in an embodiment of this application. See also... Figure 25 The device includes:

[0375] The network request receiving module 2501 is used to receive network requests sent by the terminal. The network request is sent by the terminal after the management server has verified the terminal's resource access request. The network request carries the verification credentials sent by the management server to the terminal.

[0376] The verification request sending module 2502 is used to send a verification request carrying verification credentials to the management server based on third access control information. The management server is used to verify the verification credentials. The third access control information indicates that a verification operation should be performed when a network request is received.

[0377] The connection establishment module 2503 is used to establish a connection with the terminal after the management server has verified the authentication credentials. The connection is used by the terminal to send resource access requests.

[0378] The apparatus provided in this application embodiment allows a terminal to access resources through an access gateway. The access gateway interacts with a management server, which verifies the authentication credentials. Only when the authentication credentials are successfully verified can a connection be established for resource access. This avoids the access gateway establishing a connection based on invalid authentication credentials. The management server's verification of authentication credentials makes the verification process more complete, thereby improving the security of resource access.

[0379] It should be noted that the resource access device provided in the above embodiments is only illustrated by the division of the above functional modules when accessing resources. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the computer device can be divided into different functional modules to complete all or part of the functions described above. In addition, the resource access device and the resource access method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be repeated here.

[0380] This application also provides a terminal, which includes a processor and a memory. The memory stores at least one computer program, which is loaded and executed by the processor to perform the operations performed by the resource access method of the above embodiments.

[0381] Figure 26 This is a schematic diagram of the structure of a terminal 2600 provided in an embodiment of this application. The terminal 2600 can be a portable mobile terminal, such as a smartphone, tablet computer, MP3 player (Moving Picture Experts Group Audio Layer III), MP4 player (Moving Picture Experts Group Audio Layer IV), laptop computer, or desktop computer. The terminal 2600 may also be referred to as user equipment, portable terminal, laptop terminal, desktop terminal, or other names.

[0382] Terminal 2600 includes: processor 2601 and memory 2602.

[0383] Processor 2601 may include one or more processing cores, such as a quad-core processor or an octa-core processor. Processor 2601 may be implemented using at least one hardware form selected from DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), and PLA (Programmable Logic Array). Processor 2601 may also include a main processor and a coprocessor. The main processor, also known as a CPU (Central Processing Unit), is used to process data in the wake-up state; the coprocessor is a low-power processor used to process data in the standby state. In some embodiments, processor 2601 may integrate a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the screen. In some embodiments, processor 2601 may also include an AI (Artificial Intelligence) processor, which is used to handle computational operations related to machine learning.

[0384] The memory 2602 may include one or more computer-readable storage media, which may be non-transitory. The memory 2602 may also include high-speed random access memory and non-volatile memory, such as one or more disk storage devices or flash memory devices. In some embodiments, the non-transitory computer-readable storage media in the memory 2602 are used to store at least one computer program, which is executed by the processor 2601 to implement the resource access method provided in the method embodiments of this application.

[0385] In some embodiments, the terminal 2600 may optionally include a peripheral device interface 2603 and at least one peripheral device. The processor 2601, memory 2602, and peripheral device interface 2603 can be connected via a bus or signal line. Each peripheral device can be connected to the peripheral device interface 2603 via a bus, signal line, or circuit board. Specifically, the peripheral device includes at least one of the following: a radio frequency circuit 2604, a display screen 2605, a camera assembly 2606, an audio circuit 2607, a positioning assembly 2608, and a power supply 2609.

[0386] Peripheral device interface 2603 can be used to connect at least one I / O (Input / Output) related peripheral device to processor 2601 and memory 2602. In some embodiments, processor 2601, memory 2602 and peripheral device interface 2603 are integrated on the same chip or circuit board; in some other embodiments, any one or two of processor 2601, memory 2602 and peripheral device interface 2603 can be implemented on separate chips or circuit boards, which is not limited in this embodiment.

[0387] The radio frequency (RF) circuit 2604 is used to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The RF circuit 2604 communicates with communication networks and other communication devices via electromagnetic signals. The RF circuit 2604 converts electrical signals into electromagnetic signals for transmission, or converts received electromagnetic signals back into electrical signals. Optionally, the RF circuit 2604 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a user identity module card, etc. The RF circuit 2604 can communicate with other terminals through at least one wireless communication protocol. This wireless communication protocol includes, but is not limited to: the World Wide Web, metropolitan area networks, intranets, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and / or WiFi (Wireless Fidelity) networks. In some embodiments, the RF circuit 2604 may also include circuitry related to NFC (Near Field Communication), which is not limited in this application.

[0388] Display screen 2605 is used to display a UI (User Interface). This UI may include graphics, text, icons, videos, and any combination thereof. When display screen 2605 is a touch display screen, it also has the ability to collect touch signals on or above its surface. These touch signals can be input as control signals to processor 2601 for processing. In this case, display screen 2605 can also be used to provide virtual buttons and / or a virtual keyboard, also known as soft buttons and / or a soft keyboard. In some embodiments, there may be one display screen 2605, disposed on the front panel of terminal 2600; in other embodiments, there may be at least two display screens, disposed on different surfaces of terminal 2600 or in a folded design; in still other embodiments, display screen 2605 may be a flexible display screen, disposed on a curved or folded surface of terminal 2600. Furthermore, display screen 2605 may be configured as a non-rectangular, irregular shape, i.e., a non-rectangular screen. The display screen 2605 can be made of materials such as LCD (Liquid Crystal Display) and OLED (Organic Light-Emitting Diode).

[0389] The camera assembly 2606 is used to acquire images or videos. Optionally, the camera assembly 2606 includes a front-facing camera and a rear-facing camera. The front-facing camera is disposed on the front panel of the terminal, and the rear-facing camera is disposed on the back of the terminal. In some embodiments, there are at least two rear-facing cameras, which are any one of a main camera, a depth-sensing camera, a wide-angle camera, and a telephoto camera, to achieve background blurring by fusion of the main camera and the depth-sensing camera, panoramic shooting by fusion of the main camera and the wide-angle camera, VR (Virtual Reality) shooting, or other fusion shooting functions. In some embodiments, the camera assembly 2606 may also include a flash. The flash can be a single-color temperature flash or a dual-color temperature flash. A dual-color temperature flash refers to a combination of a warm light flash and a cool light flash, which can be used for light compensation at different color temperatures.

[0390] The audio circuit 2607 may include a microphone and a speaker. The microphone is used to collect sound waves from the user and the environment, converting the sound waves into electrical signals that are input to the processor 2601 for processing, or input to the radio frequency circuit 2604 for voice communication. For stereo sound acquisition or noise reduction purposes, multiple microphones may be used, each located at a different part of the terminal 2600. The microphone may also be an array microphone or an omnidirectional microphone. The speaker is used to convert electrical signals from the processor 2601 or the radio frequency circuit 2604 into sound waves. The speaker may be a conventional diaphragm speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, it can convert electrical signals not only into audible sound waves but also into inaudible sound waves for purposes such as distance measurement. In some embodiments, the audio circuit 2607 may also include a headphone jack.

[0391] The positioning component 2608 is used to locate the current geographical location of the terminal 2600 in order to enable navigation or LBS (Location Based Service). The positioning component 2608 can be a positioning component based on the US GPS (Global Positioning System), China's BeiDou system, Russia's Granas positioning system, or the European Union's Galileo positioning system.

[0392] Power supply 2609 is used to power the various components in terminal 2600. Power supply 2609 can be AC ​​power, DC power, a disposable battery, or a rechargeable battery. When power supply 2609 includes a rechargeable battery, the rechargeable battery can be a wired rechargeable battery or a wireless rechargeable battery. A wired rechargeable battery is a battery that is charged via a wired line, and a wireless rechargeable battery is a battery that is charged via a wireless coil. The rechargeable battery can also be used to support fast charging technology.

[0393] Those skilled in the art will understand that Figure 26 The structure shown does not constitute a limitation on terminal 2600 and may include more or fewer components than shown, or combine certain components, or use different component arrangements.

[0394] This application also provides a server, which includes a processor and a memory. The memory stores at least one computer program, which is loaded and executed by the processor to perform the operations performed by the resource access method of the above embodiments.

[0395] Figure 27This is a schematic diagram of a server structure provided in an embodiment of this application. The server 2700 can vary significantly due to different configurations or performance. It may include one or more Central Processing Units (CPUs) 2701 and one or more memories 2702. The memories 2702 store at least one computer program, which is loaded and executed by the processor 2701 to implement the methods provided in the above-described method embodiments. Of course, the server may also have wired or wireless network interfaces, a keyboard, and input / output interfaces for input and output. The server may also include other components for implementing device functions, which will not be elaborated upon here.

[0396] This application also provides a computer-readable storage medium storing at least one computer program, which is loaded and executed by a processor to implement the operations performed by the resource access method of the above embodiments.

[0397] This application also provides a computer program product, which includes a computer program that, when executed by a processor, implements the operations performed by the resource access method of the above embodiments.

[0398] In some embodiments, the computer program involved in the present application embodiments may be deployed and executed on a computer device, or executed on multiple computer devices located in one location, or executed on multiple computer devices distributed in multiple locations and interconnected through a communication network. Multiple computer devices distributed in multiple locations and interconnected through a communication network may constitute a blockchain system.

[0399] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.

[0400] The above are merely optional embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present application should be included within the protection scope of the present application.

Claims

1. A resource access method, characterized by, The method comprises: intercepting a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; verifying current state information of the terminal; verifying the resource access request based on the first access control information in a case where the state information verification is passed; performing resource access based on the resource access request in a case where the resource access request verification is passed.

2. The method of claim 1, wherein, The method comprises: intercepting a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; 3. The method of claim 2, wherein, verifying current state information of the terminal; verifying the resource access request based on the first access control information in a case where the state information verification is passed; performing resource access based on the resource access request in a case where the resource access request verification is passed. The method comprises:

4. The method of claim 2, wherein, intercepting a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; verifying current state information of the terminal; verifying the resource access request based on the first access control information in a case where the state information verification is passed; performing resource access based on the resource access request in a case where the resource access request verification is passed.

5. The method of claim 1, wherein, The method comprises: intercepting a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; verifying current state information of the terminal; verifying the resource access request based on the first access control information in a case where the state information verification is passed; 6. The method of claim 2, wherein, performing resource access based on the resource access request in a case where the resource access request verification is passed. The method comprises: intercepting a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; verifying current state information of the terminal; verifying the resource access request based on the first access control information in a case where the state information verification is passed; performing resource access based on the resource access request in a case where the resource access request verification is passed. The method comprises: intercepting a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; verifying current state information of the terminal; verifying the resource access request based on the first access control information in a case where the state information verification is passed; performing resource access based on the resource access request in a case where the resource access request verification is passed. intercepting the resource access request when the management client is in a second interception mode and a target address carried by the resource access request belongs to a first address set, the second interception mode indicating that the resource access request sent by any client in the terminal for accessing a non-public resource is intercepted, and the first address set comprising an address of the non-public resource.

7. The method of claim 2, wherein, The resource access request carries a process identifier, the process identifier indicating a process for requesting resource access, the first access control information indicating a verification operation on process information corresponding to the process identifier, and the verifying the resource access request based on the first access control information when the state information is verified comprises: obtaining first process information corresponding to the process identifier from the first client based on the process identifier when the state information is verified; obtaining second process information corresponding to the process identifier from the management client based on the process identifier; sending an authentication request to a management server corresponding to the management client when the first process information matches the second process information, the authentication request carrying the first process information, the management server being configured to verify the authentication request based on second access control information, the second access control information indicating a verification operation when the authentication request is received; and receiving a verification result returned by the management server.

8. The method of claim 2, wherein, The verifying the resource access request based on the resource access request when the resource access request is verified comprises: sending the resource access request to a service server through the management client when the resource access request is verified, the service server being configured to return a target resource corresponding to the resource access request; or sending the resource access request to a service server through the management client and an access gateway when the resource access request is verified.

9. The method of claim 8, wherein, The sending the resource access request to a service server through the management client and an access gateway comprises: sending a network request to the access gateway through the management client, the network request carrying a verification credential sent by a management server corresponding to the management client to the terminal, wherein the access gateway is configured to send a verification request carrying the verification credential to the management server based on third access control information, the management server being configured to verify the verification credential and return a verification result of the verification credential to the access gateway, the access gateway being further configured to establish a connection between the access gateway and the terminal when the verification credential is verified, and the third access control information indicating a verification operation when the verification request is received; and sending the resource access request to the access gateway based on the established connection, the access gateway being configured to send the resource access request to the service server.

10. A resource access method, characterized by, The method comprises: The receiving terminal sends an authentication request through a management client, the management client is used to intercept a resource access request sent by a first client of the terminal based on first access control information, the first access control information indicates that the resource access request is intercepted and a verification operation is performed in the case that the resource access request is sent by any client in the terminal; the current state information of the terminal is verified, in the case that the state information verification is passed, the first process information corresponding to a process identifier carried by the resource access request is verified based on the first access control information; the authentication request is sent based on the first access control information in the case that the first process information meets the condition; the first process information is obtained from the first client sending the resource access request, and the process identifier indicates a process in the first client requesting resource access; The authentication request is verified based on second access control information, and a verification result of the authentication request is returned to the terminal, the terminal is used to receive the verification result, and resource access is performed based on the resource access request in the case that the verification result indicates that the resource access request verification is passed, and the second access control information indicates that the verification operation is performed in the case that the authentication request is received.

11. A resource access method, characterized by, The method comprises: A network request sent by a terminal is received, the terminal is used to intercept a resource access request sent by a first client based on first access control information, the first access control information indicates that the resource access request is intercepted and a verification operation is performed in the case that the resource access request is sent by any client in the terminal; the current state information of the terminal is verified; in the case that the state information verification is passed, the resource access request is verified based on the first access control information through a management server; in the case that the resource access request verification is passed, the network request is sent, and the network request carries a verification credential sent by the management server to the terminal; A verification request carrying the verification credential is sent to a management server based on third access control information, the management server is used to verify the verification credential, and the third access control information indicates that the verification operation is performed in the case that the network request is received; In the case that the management server verifies the verification credential, a connection between the terminal and the management server is established, and the connection is used for the terminal to send the resource access request.

12. A resource access system, characterized by The resource access system comprises a terminal and a management server; The terminal is used to intercept a resource access request sent by a first client based on first access control information through a management client, and the first access control information indicates that the resource access request is intercepted and a verification operation is performed in the case that the resource access request is sent by any client in the terminal; The terminal is also used to verify the current state information of the terminal; The terminal is further configured to, in a case where the state information is verified to be correct, send an authentication request to the management server based on the first access control information, the authentication request carrying first process information corresponding to a process identifier carried in the resource access request, the first process information being obtained from the first client, the process identifier indicating a process in the first client that requests to access resources; The management server is configured to verify the authentication request based on second access control information, and return a verification result of the authentication request to the terminal, the second access control information indicating that a verification operation is performed in a case where the authentication request is received; The terminal is further configured to receive the verification result, and perform resource access based on the resource access request in a case where the verification result indicates that the resource access request is verified to be correct.

13. A resource access device, characterized by The apparatus comprises: A request interception module configured to intercept a resource access request sent by a first client based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in a terminal; A first verification module configured to verify current state information of the terminal; A second verification module configured to verify the resource access request based on the first access control information in a case where the state information is verified to be correct; A resource access module configured to perform resource access based on the resource access request in a case where the resource access request is verified to be correct.

14. A resource access device, characterized by The apparatus comprises: An authentication request receiving module configured to receive an authentication request sent by a terminal through a management client, the management client being configured to intercept a resource access request sent by a first client of the terminal based on first access control information, the first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where the resource access request is sent by any client in the terminal; verify current state information of the terminal, verify first process information corresponding to a process identifier carried in the resource access request based on the first access control information in a case where the state information is verified to be correct, and send the authentication request based on the first access control information in a case where the first process information meets a condition; the authentication request carries the first process information, the first process information being obtained from the first client that sends the resource access request, and the process identifier indicating a process in the first client that requests to access resources; A verification module configured to verify the authentication request based on second access control information, and return a verification result of the authentication request to the terminal, the terminal being configured to receive the verification result, and perform resource access based on the resource access request in a case where the verification result indicates that the resource access request is verified to be correct, the second access control information indicating that a verification operation is performed in a case where the authentication request is received.

15. A resource access device, characterized by The apparatus comprises: The network request receiving module is configured to receive a network request sent by a terminal, wherein the terminal is configured to intercept a resource access request sent by a first client based on first access control information, the first access control information indicates that the resource access request is intercepted and a verification operation is performed in a case where any client in the terminal sends the resource access request; verify current state information of the terminal; in a case where the state information verification is passed, verify the resource access request based on the first access control information through a management server; in a case where the resource access request verification is passed, send the network request, wherein the network request carries a verification credential sent by the management server to the terminal; The verification request sending module is configured to send a verification request carrying the verification credential to a management server based on third access control information, wherein the management server is configured to verify the verification credential, and the third access control information indicates that a verification operation is performed in a case where a network request is received; The connection establishing module is configured to establish a connection with the terminal in a case where the management server verifies the verification credential successfully, and the connection is used for the terminal to send the resource access request.

16. A terminal, characterized by The terminal comprises a processor and a memory, and the memory stores at least one computer program, which is loaded and executed by the processor to implement the operations performed by the resource access method according to any one of claims 1 to 9.

17. A management server, characterized by The management server comprises a processor and a memory, and the memory stores at least one computer program, which is loaded and executed by the processor to implement the operations performed by the resource access method according to claim 10.

18. An access gateway, characterized by The access gateway comprises a processor and a memory, and the memory stores at least one computer program, which is loaded and executed by the processor to implement the operations performed by the resource access method according to claim 11.

19. A computer-readable storage medium, characterized in that, The computer readable storage medium stores at least one computer program, which is loaded and executed by the processor to implement the operations performed by the resource access method according to any one of claims 1 to 9, or to implement the operations performed by the resource access method according to claim 10, or to implement the operations performed by the resource access method according to claim 11.

20. A computer program product comprising a computer program, characterized in that, The computer program is executed by the processor to implement the operations performed by the resource access method according to any one of claims 1 to 9, or to implement the operations performed by the resource access method according to claim 10, or to implement the operations performed by the resource access method according to claim 11.