CN104169930B

CN104169930B - resource access method and device

Info

Publication number: CN104169930B
Application number: CN201280001197.XA
Authority: CN
Inventors: 许斌; 张永靖
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2012-07-02
Filing date: 2012-07-02
Publication date: 2017-02-22
Anticipated expiration: 2032-07-02
Also published as: CN104169930A; WO2014005268A1

Abstract

The embodiment of the invention discloses a kind of resource access method and device, wherein method comprises: the resource access request that receives access means, according at least two access rights resource identifications of this this resource of access resources acquisition request, according to access rights resource identification, read the access rights resource of each access rights resource identification indication, according to the resolution rules for this resource and described access rights resource, determine the access rule set for described resource, according to the resource access request of this access rule set and described device identification and the described access means of described resource access operations indication response.The resource access method of the embodiment of the present invention and device are realized the mutual succession of the access rights resource between each resource, the access rights of resource can be adjusted voluntarily along with the modification of the access rights of heritable resource, improve the efficiency of management of resource access authority.

Description

Resource access method and device

Technical field

The present invention relates to the communications field, particularly to a kind of resource access method and device.

Background technology

Machine communication (Machine-to-Machine Communications, M2M) is that one kind is with machine intelligence interaction Core, networking application and service.It is processed by being internally embedded wirelessly or non-wirelessly communication module and application in machine Logic, realizes the data communication without manual intervention, to meet user to the side such as monitoring, command scheduling, data acquisition and measurement The information system requirement in face.

In M2M, access control mechanisms are for preventing data in M2M terminal, gateway and business platform undelegated Application unauthorized access, thus ensure the privacy of Various types of data, safety.General, once access the key element being related to and include asking Person's of asking (access main body), accesses operation (as " reading ", " writing " etc.) and accesses object (access object).The effect of access control mechanisms Mode is：When access main body initiate to access object the access request of some access operation when, according to and this access object phase Closing each access rule is access rule set it is allowed to or forbid this access request.

ETSI (European Telecommunication at present StandardizationInstitute, ETSI) in the M2M specification formulated, configuration access rule in access rights resource Collection, all kinds of resources (access object) are quoted access rights resource by access rights resource identifier and are completed joining of access rights Put.

Because the M2M specification regulation access rights resource identifier that ETSI is formulated only can quote zero or one access right Limit resource, when quoting zero resource, system default quotes the access rights resource of the parent resource of this resource, therefore substantially still It is to quote an access rights resource.In this case, when configuring the access rights resource identifier of resource, according to different Demand has two kinds of methods：Method one, resource to be configured and other resources do not have any relation in access rights, then newly-built one Meet the access rights resource requiring and quote this resource；Method two, resource to be configured phase in access rights with other resources Close, the resource such as possessing filiation has inheritance, then directly quotes the access rights resource of other resources.Due to M2M is to be organized and managed with the structure of resource tree, has hierarchical relationship between resource, and resource has more relation, because This often using method two (directly quoting the access rights resource of other resources) configure resource access rights.

But when a resource is accessed by multiple applications, and each application has different access rights.Or the visit when resource Ask that authority part quotes other resources, but when having, with the resource that is cited, the authority differing, prior art just can only adopt The method re-starting authority configuration for this resource, and can not realize by way of access rights are quoted.Thus leading to provide The access rights management in source is inconvenient with maintenance.

Content of the invention

The present invention provides a kind of resource access method and device, and the access rights realized between resource are inherited, and improve resource The efficiency of management of access rights.

On the one hand, provide a kind of resource access method, including the resource access request receiving access equipment, described resource is visited Ask that request includes access equipment mark, accesses resource identification and resource access operations instruction；According to described access resource identification Obtain and described at least two access rights resource identifications accessing the corresponding resource of resource identification, visited according to described at least two Ask that authority resource identification reads the access rights resource of each access rights resource identification instruction；According to the parsing for described resource Regular with described access rights resource, determine the access rule set for described resource；According to described access rule set and institute State device identification and the instruction of described resource access operations responds the resource access request of described access equipment.

Optionally, also include：Receive the setting request to the access rights of described resource, described setting request include to Few two access rights resource identifications, are directed to described resource access right according to described at least two access rights resource identifications setting Limit.

Optionally, also include rule parsing mark in described setting request, described basis is directed to the parsing rule of described resource Then with described access rights resource, determine the access rule set for described resource, including：Identify according to described rule parsing Corresponding resolution rules parse to described access rights resource, obtain the access rule set for described resource.

Optionally, also include access rights resource prioritization rule in described setting request, described basis is directed to described money The resolution rules in source and described access rights resource, determine the access rule set for described resource, including：According to described access Authority resource prioritization is regular and with the described rule parsing corresponding resolution rules of mark, described access rights resource is solved Analysis, obtains the access rule set for described resource.

Optionally, also include carrying out piecemeal to multiple access rights resources in described setting request, make described multiple access Authority resource includes access rights resource father's block and multiple sub-blocks corresponding with this father's block, described father's block and corresponding with this father's block Multiple sub-blocks all include corresponding rule parsing mark, and described basis is directed to the resolution rules of described resource and described access rights Resource, determines the access rule set for described resource, including：First identify corresponding parsing according to described father's block rule parsing Rule parses to described access rights resource, then identifies to described according to rule parsing corresponding with the plurality of sub-block Sub-block corresponding access rights resource is parsed, and obtains the access rule set for described resource.

Optionally, also include the priority rule of father's block and sub-block in described setting request, described basis is directed to described money The resolution rules in source and described access rights resource, determine the access rule set for described resource, including：First according to described Father's block rule parsing identifies corresponding resolution rules and priority rule parses to described access rights resource, then foundation With the plurality of sub-block rule parsing identify corresponding resolution rules and priority rule to described sub-block corresponding access rights Resource is parsed, and obtains the resource access rule set for described resource.

Optionally, described setting request includes at least two dereference authority resource identifications, and described basis is directed to institute State the resolution rules of resource and described access rights resource, determine the access rule set for described resource, including：According to described Dereference authority resource identification obtains access rights resource address, according to described access rights resource address read access authority Resource；According to identifying corresponding resolution rules with described rule parsing, described access rights resource is parsed, acquisition is directed to The access rule set of described resource.

Optionally, described access rule set include access main body collection and with access main body corresponding access operation set, described Respond the money of described access equipment according to described access rule set and described device identification and the instruction of described resource access operations Source access request, including：If described access equipment is mated with described access main body collection, and described resource access operations instruction indication The access operation shown is mated with described access operation set, then allow described access equipment to access described resource；If described access sets Standby and described access main body collection mismatches, or described access equipment is mated with described access main body collection, but described resource accesses The operation that accesses indicated by operation instruction is mismatched with the access operation set of described access equipment, then refuse described access equipment and visit Ask described resource；If described access equipment is mated with described access main body collection, but the access operation set of described access equipment is "None", then refuse all kinds of access operation requests of this access equipment.

On the other hand, a kind of resource access device is provided, including：Receiving unit, the resource for receiving access equipment is visited Ask request, described resource access request includes access equipment mark, accesses resource identification and resource access operations instruction；Obtain Unit, for obtaining and described at least two access rights accessing the corresponding resource of resource identification according to the described resource identification that accesses Limit resource identification, reads the access right of each access rights resource identification instruction according to described at least two access rights resource identifications Limit resource；It is additionally operable to, according to resolution rules and the described access rights resource for described resource, determine for described resource Access rule set；Response unit, for according to described access rule set and described device identification and described resource access operations Indicate the resource access request responding described access equipment.

Optionally, this resource access device also includes：Arranging unit, for setting to the access rights of described resource Put, described arranging unit includes：Receiving subelement, for receiving the setting request to the access rights of described resource, described sets Put request and include at least two access rights resource identifications；Setting subelement, described in receiving according to receiving subelement Setting request is configured to the access rights resource identifier of described resource, makes the access rights resource identifier of described resource Including described at least two access rights resource identifications.

Optionally, described receiving subelement specifically for：Receive the setting request of the access rights to described resource, described Rule parsing mark is also included, described acquiring unit includes in described setting request：First acquisition unit, for obtaining described money At least two access rights resource identifications in the access rights identifier in source, read respectively according to described access rights resource identification Take access rights resource；Second acquisition unit, identifies corresponding resolution rules to described access right according to described rule parsing Limit resource is parsed, and obtains the access rule set for described resource.

Optionally, described receiving subelement also particularly useful for：Receive the access rights setting request to described resource, described Access rights resource prioritization rule is also included, described acquiring unit also includes in setting request：3rd acquiring unit, for root Identify corresponding resolution rules according to described access rights resource prioritization rule with described rule parsing to described access rights Resource is parsed, and obtains the access rule set for described resource.

Optionally, described receiving subelement also particularly useful for：Receive the setting request of the access rights to described resource, institute State in setting request and also include carrying out piecemeal to multiple access rights resources, make described multiple access rights resource include access right Limit resource father's block and multiple sub-blocks corresponding with this father's block, described father's block and multiple sub-blocks corresponding with this father's block all include corresponding Rule parsing mark, described acquiring unit also includes：4th acquiring unit, for first basis and described father's block rule parsing mark Know corresponding resolution rules described access rights resource is parsed, then according to rule solution corresponding with the plurality of sub-block Analysis mark parses to described sub-block corresponding access rights resource, obtains the access rule set for described resource.

Optionally, described receiving subelement also particularly useful for：Receive the setting request of the access rights to described resource, institute State in setting request and also include father's block and the respective priority rule of sub-block, described acquiring unit also includes the 5th acquiring unit, For first identifying corresponding resolution rules and priority rule to described access rights resource according to described father's block rule parsing Parsed, then corresponding to described sub-block according to rule parsing mark corresponding with the plurality of sub-block and priority rule Access rights resource is parsed, and obtains the access rule set for described resource.

Optionally, described receiving subelement also particularly useful for：Receive the setting request to the access rights of resource, described set Put request and include at least two dereference authority resource identifications, described acquiring unit also includes the 6th acquiring unit, is used for Obtain access rights resource address according to described dereference authority resource identification, read according to described access rights resource address Access rights resource；According to identifying corresponding resolution rules with described rule parsing, described access rights resource is parsed, Obtain the access rule set for described resource.

Optionally, described response unit specifically for：If described access equipment is mated with described access main body collection, and described Indicated the accessing of resource access operations instruction operates is mated with the access operation set of described access equipment, then allow described access Equipment accesses described resource；If described access equipment with described access main body collection mismatch, or described access equipment with described Access main body collection coupling but described resource access operations and described access operation set mismatch, then refuse described access equipment and access Described resource；If described access equipment is mated with described access main body collection, but the access operation set of described access equipment is "None", Then refuse all kinds of access operation requests of this access equipment.

Optionally, described device includes：M2M terminal, M2M platform and M2M gateway.

The resource access method of the embodiment of the present invention and resource access device, by having the main body of resource distribution authority to money The access rights resource identifier of the resource in the access mechanism of source is configured, and the access rights resource identification of other resources is added It is added in access rights resource identifier so that resource access device can obtain related access according to this access rights resource identification Authority resource, and according to the resolution rules of itself setting, this access rights resource is parsed, thus realizing between each resource The mutual succession of access rights resource is so that the access rights of resource can be with the modification of the access rights of heritable resource And voluntarily adjust, improve the efficiency of management of resource access rights, the utilization of access rights resource memory space, can be improved meanwhile Rate, saves memory space.

Brief description

Fig. 1 is typical M2M system architecture diagram；

Fig. 2 is the resource access method flow chart of one embodiment of the invention；

Fig. 3 A is the access rights identifier setting Signalling exchange of resource in the resource access method of one embodiment of the invention Figure；

Fig. 3 B is the declarative state transferring resource tree of the resource of one embodiment of the invention；

Fig. 4 is the resource access method signaling interaction diagram of an embodiment；

Fig. 5 is the access rights resource identifier configuration signal of resource in the resource access method of another embodiment of the present invention Interaction figure；

Fig. 6 is the resource access method of the present embodiment；

Fig. 7 is the access rights resource identifier setting Signalling exchange of the resource access method of another embodiment of the present invention Figure；

Fig. 8 is the resource access method signaling interaction diagram of another embodiment；

Fig. 9 A is the access rights resource identifier setting letter of resource in the resource access method of further embodiment of this invention Make interaction figure；

Fig. 9 B is the access rights resource identifier structure with multiple access rights Resource Block of one embodiment of the invention Figure；

Figure 10 is the resource access method signaling interaction diagram of further embodiment of this invention；

Figure 11 is the resource access device schematic diagram of one embodiment of the invention；

Figure 12 is arranging unit schematic diagram in the resource access device of one embodiment of the invention；

Figure 13 is acquiring unit schematic diagram in the resource access device of one embodiment of the invention；

Figure 14 is the resource access device schematic diagram of another embodiment of the present invention.

Specific embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work Embodiment, broadly falls into the scope of protection of the invention.

Fig. 1 is typical M2M system architecture diagram, including：

M2M network application NA101, is used for being registered to M2M business platform 102, accesses the collection of M2M equipment by mId interface Data, be additionally operable to carry out remote device management to M2M equipment；

M2M equipment D ' 104, is connected to M2M business platform 102 by M2M gateway G103；

M2M equipment d105, is connected to M2M business platform 102 by M2M gateway G103；

M2M equipment d105 ', connects M2M business platform 102 by M2M equipment D106.

Wherein, M2M equipment d105, and M2M equipment d105 ' is the legacy equipment not meeting ETSI M2M specification；M2M equipment D and M2M equipment D ' is the equipment meeting ETSI M2M specification, and wherein M2M equipment D has the business energy of ETSI M2M standard definition Power layer (SCL, ServiceCapability Layer), M2M equipment D ' does not have the service capability layer of ETSI M2M standard definition (SCL, Service Capability Layer).

M2M gateway G103 uses gateway interconnection agent functionality (GIP, Gateway InterworkingProxy) to pass through no Line or wired communication mode (for example, Zigbee, Bluetooth, DLMS/COSEM, Zwave, BACnet, ANSIC12, mBus Deng) interconnect with M2M legacy equipment d and M2M equipment D '.And the mId interface one between M2M gateway or M2M equipment D and M2M platform As using wired or wireless wide local area Network Communication (such as：Xdsl, HFC, satellite, GERAN, UTRAN, eUTRAN, W- LAN and WiMAX etc.).

The overall technical scheme introducing one embodiment of the invention, is illustrated in figure 2 the resource of one embodiment of the invention below Access method flow chart, including：

201st, receive the resource access request of access equipment, described resource access request includes access equipment mark, accesses Resource identification and resource access operations instruction；

Specifically, middleware receives the resource access request from access equipment, and request carries out associative operation to resource, As：Reading and writing etc. operate.Wherein middleware is the logic entity being arranged in M2M terminal or M2M gateway or M2M platform.This money Source access request includes access equipment mark, accesses resource identification and the concrete access operation instruction to this resource.

It should be noted that access equipment can be M2M terminal, M2M platform or M2M gateway.

In addition, middleware has carried out related setting to the access rights of resource in advance, specifically, middleware sets according to request The standby access rights setting request to this resource, is configured so that this resource to the access rights resource identifier of this resource Access rights resource identifier include at least two access rights resource identifications being introduced into, this access rights resource identification refers to To access rights resource.Wherein this access rights resource includes access rule set, and each accesses rule and at least includes accessing main body Collection and access operation set.This access main body collection includes the multiple access main bodys allowing to access this resource, and this access main body can adopt The identifier of URI, global identifier or specific meanings is described.Access operation set includes corresponding with allowing access main body Admissible access operation, such as " reading ", " writing " etc., similarly, access operation may also be employed URI, global identifier or specific The identifier of implication is described.

202nd, obtained and described at least two visits accessing the corresponding resource of resource identification according to the described resource identification that accesses Ask authority resource identification, read the visit of each access rights resource identification instruction according to described at least two access rights resource identifications Ask authority resource.

Specifically, middleware can check resource corresponding with this resource identification according to the resource identification specified in access request Access rights resource identifier, and obtain its corresponding access rights resource identification from this access rights resource identifier, Read the access rights resource of its sensing according to this access rights resource identification.

General, access rights resource identification includes the URI of access rights resource, and middleware can obtain it according to this URI Corresponding access rights resource.

203rd, according to resolution rules and the described access rights resource for described resource, determine the visit for described resource Ask rule set.

Specifically, middleware can preset the rule parsing mark of access rights resource, during this rule parsing mark indicates Between part default configuration acquiescence resolution rules.Access rights resource can be parsed by this resolution rules, obtain resource Access rule set.

204th, according to described access rule set and described device identification and the instruction response of described resource access operations The resource access request of access equipment.

Specifically, middleware judges access equipment identifies whether to mate with the access main body collection in access rule set, is No for accessing the access main body that main body is concentrated, then judge the access operation of this access equipment whether with this principal access operation set Coupling, i.e. whether the access operation of this main body is to access the access operation allowing in operation set.

When access equipment meets above-mentioned two condition simultaneously, middleware allows the resource that access equipment is specified to it to carry out Access operation, otherwise, when access equipment is unsatisfactory for an any of the above described condition, the money that middleware denied access equipment is specified to it Source conducts interviews operation.

The resource access method of one embodiment of the invention as above, by having the main body of resource distribution authority to resource Access rights be configured, the access rights resource identification of other resources is added in access rights resource identifier, makes Obtain middleware and related access rights resource can be obtained according to this access rights resource identification, thus realizing the access right between each resource The mutual succession of limit resource is so that the access rights of resource can with the modification of the access rights of heritable resource voluntarily Adjustment, improves the efficiency of management of resource access rights, can improve the utilization rate of access rights resource memory space meanwhile, section Save memory space.

Below angle is set from access rights resource identifier, the resource access method of one embodiment of the invention is retouched State.As shown in Figure 3A for the access rights identifier setting Signalling exchange of resource in the resource access method of one embodiment of the invention Figure, including：

301st, resource setting request equipment sends to resource to receiving device, such as M2M terminal, M2M gateway or M2M platform The setting request of access rights, described setting request includes the mark of at least two resource access rights marks and resource, with Request is configured to the access rights of the corresponding resource of mark with resource.Wherein, resource arranges the inclusion tool of request equipment There is access rights resource that the equipment of authority is set, can be M2M platform.

Specifically, the resource in M2M is using the statement character transfer as described in Fig. 3 B, describing a kind of resource (RepresentationalState Transfer, RESTful).

Wherein, field containers comprises one or more containers<container>.Wherein container<container> For the container resource statement of prior art, mainly comprise for description application or M2M terminal, platform, the data message money of gateway Source.

Container<container>There is accessRightID attribute, accessRightID is access rights resource identification Symbol, according to ETSI M2M specification, accessRightID attribute may be configured as AnyURI [0...1], and its implication is 0 to 1 URI, This URI points to access rights resource accessRight.As accessRightID attribute is set to " http:// m2m.op.com/accessRights/<ar5>", the access rule representing this resource is by access rights resource<ar5>Description.

Step 302, according to described setting request, the access rights of resource are configured.

Specifically, setting accessRightID attribute AnyURI [0...1] can be revised as AnyURI by receiving device [0...unbounded] (namely AnyURIList), and wherein each URI need to point to access rights resource<accessRight>, Be introduced into identifies for resource access rights.Realize the combination of at least two access rights resources is quoted with this.

In embodiments of the present invention, request equipment can be M2M platform or M2M2 gateway, and receiving device can be M2M Terminal, M2M platform or M2M2 gateway.M2M platform or M2M2 gateway can be right by the setting request of the access rights to resource Positioned at other devices such as M2M terminal, the resource of M2M platform or M2M2 gateway conduct interviews authority setting it is also possible to pass through The setting request of the access rights of resource is pointed to the local resource of request equipment conduct interviews the setting of authority.Namely Say, request equipment and receiving device can be same equipment or different equipment.Embodiment of the present invention here does not limit Fixed.

It is illustrated in figure 4 the resource access method signaling interaction diagram of the present embodiment, including：

401st, access equipment to receiving device send resource access request, this resource access request include access identities, Resource identification and the resource access operations instruction to this resource.

402nd, receiving device checks the access rights resource identifier of this resource according to resource identification, obtains at least two visits Ask authority resource identification, and read corresponding access rights resource according at least two access rights resource identifications, according to default The specified resolution rules of rule parsing mark at least two access rights resources are parsed, obtain for this resource Resource access rule set.

403rd, receiving device according to the access rule set of this resource, access equipment identifies and access equipment operation instruction is to this Access equipment returns resource access response.

Rule parsing mark is designated " overlay " by character string descriptor, default rule parsing, and this rule parsing identifies Specified resolution rules are " sequentially covering ".Specifically, by the rear access rights resource identifier sequentially obtaining resource before The access rights resource identification that at least two including are introduced into, and then read at least two access rights resources being introduced into Identify respective access rights resource.Sequentially analyze the access rule in each access rights resource.

Access, for multiple, the access main body that rules access main body concentration all appearance, the access operation set of its permission by First access rule comprising this access main body determines.If the access main body collection in access equipment and this access rule set Join, then judge whether the access operation of access equipment belongs to access operation set, then allow this access equipment that resource is carried out in this way Access and operate.If access equipment is not belonging to the access main body collection in this access rule set, if or access equipment belong to this visit Ask the access main body collection in rule set, but it is accessed and operates the access operation set being allowed with it to misfit, or access operation set For "None", then refuse the resource access request of this access equipment.

For example：AccessRightID attribute is set to " http://m2m.op.com/accessRights/<ar3>； http://m2m.op.com/accessRights/<ar4>", the access rights representing this resource are by access rights resource<ar3> With<ar4>Common description, when access equipment carries out read operation to this resource, receiving device is according to default rule parsing mark (present embodiment assumes that being " overlay ", the access resolution rules " sequentially covering " of acquiescence), obtains access rights resource first< ar4>, such as<ar4>Middle setting rule set is to access main body collection " App1 " and " App2 " to allow to access operation " Read ", and then obtains Take access rights resource<ar3>, such as<ar3>Middle setting rule set is to access main body collection " App1 " and " App3 " to allow to access behaviour Make " Write ", then the rule set after parsing is to access main body " App1 " to allow to access operation " Read ", accesses main body main body " App2 " allows to access operation " Read ", and main body " App3 " allows to access operation " Write ".

Make the angle configuring below from rule parsing mark, another embodiment of the present invention is elaborated, as shown in Figure 5 For the access rights resource identifier configuration signal interaction figure of resource in the resource access method of another embodiment of the present invention, wrap Include：

501st, requestor sends the access rights resource identifier setting request of resource to receiving device, in this setting request Including resource identification, access rights resource identification and rule parsing identify.

Specifically, resource identification points to the resource needing to arrange authority resource identifier, and access rights resource identification is to draw The mark of the access rights resource entering, rule parsing is designated the corresponding mark of the resolution rules that need to arrange, by character or character String descriptor, such as may be configured as " overlay ", " union " etc., represents respectively using " sequentially covering ", the mode of " taking intersection " Access rights resource is parsed.It should be noted that be only example herein, rule parsing mark could be arranged to any Skilled person it will be appreciated that other forms.Set as not having rule parsing to identify or to the value of rule parsing mark Put, then using the resolution rules of acquiescence, such as：One by one access rights resource is parsed from rear to front.

502nd, according to described setting request, the access rights resource identifier of resource is configured.

Specifically, receiving device such as M2M terminal, M2M gateway or M2M platform is asked according to this setting, the authority being introduced into Resource identifier and rule parsing mark are added in the access rights identifier of resource corresponding with resource identification.

Optionally, a kind of data structure for stating access rights resource identifier as shown below, accessRightID Comprise an imports element, this element includes one or more import elements and at least one resolveMode element, Each import element is used for introducing access rights resource, and resolveMode parses mark in order to description rule, to represent certain Resolution rules, such as this rule parsing mark may be configured as " RFC4745 or " RFC3530 " etc., representing according to RFC4745 or RFC3530 specification parses to access rights resource.The specified parsing rule of RFC4745 or RFC3530 rule parsing mark Then refer to related specifications.The example that with XML extensible markup language describe access rights identifier is presented herein below.

In this example, the access rights representing this resource are by access rights resource<ar3>,<ar4>Common description.As Fig. 6 It show the resource access method of the present embodiment, including：

601st, access equipment sends access request to receiving device, carries resource identification, access equipment in this access request Mark and the access operation to resource；

602nd, receiving device checks access rights mark and rule parsing mark according to the access rights identifier of this resource, And read the access rights resource of this resource according to this access rights resource identification, then according to rule parsing identify corresponding Analysis mode parses to this access rights resource, obtains the access rule set for this resource.

603rd, identified according to this access rule set and access equipment and access the operation instruction described access request of response.

Specifically, if access equipment mark belongs to the access main body collection in access rule set, and access operation belongs to access The permission of rule set accesses operation set, then allow the resource access request of access equipment, otherwise provide refusal respond.

For example, when access equipment carries out read operation to this resource, middleware obtains the value of resolveMode first, that is, " RFC4745 ", is then directed to the access rule set of this resource according to the RFC4745 specification parsing that this rule parsing mark represents. Judge whether access equipment can carry out read operation to this resource according to the access rule set after parsing, if then allowing to read, if Otherwise provide refusal respond.

If it is worth mentioning that the analysis mode indicated by some resolveMode has preferentially to the authority resource introducing Level requires, then according to priority requirement, access rights resource is parsed.

Point to multiple access rights resources from access rights resource identifier below, access rights resource has priority and sets Calmly, as a example and rule parsing mark being configured, the resource access method of another embodiment of the present invention is described, as shown in fig. 7, being The access rights resource identifier setting signaling interaction diagram of the resource access method of another embodiment of the present invention, including：

701st, request equipment sends the access to specific resources to receiving device, such as M2M terminal, M2M gateway or M2M platform The setting request of jurisdiction identifier, this setting request includes resource identification, the access rights resource identification introducing, rule parsing Mark and access rights resource prioritization rule.

702nd, receiving device asks the access rights resource identifier of specified resource is configured according to this setting.

Specifically, according to access rights resource prioritization rule, priority is defined to the access rights resource that each introduces Value.

As：Priority attribute, the value of this attribute are arranged to each import element of access rights resource identifier Can be numerical value or character, in order to describe the priority relationship of the access rights resource of introducing.Such as in access rights resource mark Know in symbol and be respectively set to by the Priority attribute of front three import elements sequentially afterwards：" Priority=1 ", " Priority=2 ", " Priority=3 ", illustrate that the priority possessing the import element of " Priority=3 " is higher than to possess The priority of the import element of " Priority=2 ", the priority possessing the import element of " Priority=2 " is higher than tool The priority of the import element of standby " Priority=1 ".If the Priority attribute value of three import elements is identical, Using the priority orders of acquiescence, reduced step by step by the priority of rear to front import element.

It is illustrated in figure 8 the resource access method signaling interaction diagram of the present embodiment, including：

801st, access equipment to receiving device send resource access request, this resource access request include resource identification, Access equipment mark and the access operation to this resource.

Wherein, receiving device can be M2M terminal, M2M gateway or M2M platform, and access equipment can also for M2M eventually End, M2M gateway or M2M platform.

802nd, receiving device checks resource corresponding with this resource identification according to the resource identification in this resource access request Under access rights resource identifier, according under this access rights resource identifier access rights mark read access authority money Source, and according to the rule parsing mark under this access rights resource identifier, identify corresponding solution using with described rule parsing Analysis rule parses to access rights resource, obtains the access rule set for this resource.

803rd, receiving device returns resource according to access equipment mark, access operation and access rule set to access equipment Access response.

Specifically, if access equipment belongs to the access main body collection in this access rule set, and judge to carry in access request Access operation instruction corresponding access operation whether belong to this access main body permission access operation set, then allow this visit in this way Equipment of asking conducts interviews to resource and operates；If access equipment is misfitted with the access main body collection in this access rule set, or It is accessed and operates the access operation set being allowed with it to misfit, then the resource refusing this access equipment accesses and operates.

For example, after introducing priority attribute, a kind of use XML language access rights resource identifier accessRightID's Example is as shown below：

Example as shown above represents the access rights of this resource by access rights resource<ar3>With<ar4>Jointly retouch State, and there is priority relationship between the access rights resource introducing,<ar3>Priority be higher than<ar4>Priority, lead in addition Cross resolveMode and indicate that resolution rules are carried out according to the method for " sequentially covering ".Obtain access rights resource first<ar3>, Such as<ar3>Middle setting rule set is that access main body collection " App1 " and " App3 " allows to access operation " Write ", and then obtains visit Ask authority resource<ar4>, such as<ar4>Middle setting rule set is to access main body collection " App1 " and " App2 " to allow to access operation " Read ", then the rule set after parsing is to access main body " App1 " to allow to access operation " Write ", accesses main body main body " App2 " Allow to access operation " Read ", main body " App3 " allows to access operation " Write ".If resolveMode is set to " union ", The analysis mode " taking intersection ", because which does not require, therefore ignores the value of " priority " to priority.Obtain Access rights resource<ar4>With<ar3>, the rule set after parsing is：Rule set after parsing is to access main body " App1 " to allow Access operation " Write " and " Read ", access main body main body " App2 " and allow to access operation " Read ", main body " App3 " allows to visit Ask operation " Write ".Additionally, resolveMode may be arranged as " RFC4745 ", " RFC3530 " etc., represent foundation respectively " RFC4745 " specification, " RFC3530 " specification carries out rule parsing, and concrete mode refer to corresponding normative content.

Point to multiple access rights resources from access rights identifier below, access rights resource piecemeal introduces, including father As a example block and multiple sub-blocks corresponding with father's block, the resource access method of another embodiment of the present invention is illustrated.

As shown in Figure 9 A, be another embodiment of the present invention resource access method in resource access rights resource identifier Setting signaling interaction diagram, including：

901st, requestor sends the access rights mark to resource to receiving device, such as M2M terminal, M2M gateway or M2M platform Know the setting request of symbol, this setting request includes resource identification, access rights resource identification, carries out father to access rights resource Block, the rule of partition, and corresponding rule parsing identifies respectively with father's block, each sub-block.

Specifically, indicate father's block by arranging " introducing " (i.e. " imports ") element of access rights identifier, by setting " quoting " (i.e. " the import ") element putting access rights identifier indicates sub-block.

902nd, receiving device asks the access rights of specified resource are configured according to this setting.

Specifically, receiving device, according to specified resource identification in setting request, obtains this resource, and updates this resource Access rights identifier be the access rights identifier that carries in request.Arrange and piecemeal is carried out to access rights resource, that is, Setting father's block and multiple sub-block access rights resource corresponding with father's block.Each sub-block includes at least one access rights resource mark Know.Each sub-block and each father's block all can be arranged with respective rule parsing mark.Each sub-block and each father's block be all simultaneously Priority rule can be set.

For example, the access rights resource identifier of piecemeal introducing access rights resource can be described as data as shown in Figure 9 B Structure.

The access rights resource identifier accessRightID structure chart with multiple imports as shown in Figure 9 B, AccessRightID comprises a permissionsRef element, and this element includes one or more imports element again, each Imports element includes one or more import elements, and each import element includes one or more access rights resources Mark.

It is the resource access method signaling interaction diagram of the present embodiment as shown in Figure 10, including：

1001st, access equipment to receiving device send resource access request, this resource access request include resource identification, Access equipment mark and the access operation to this resource.

1002nd, receiving device checks resource corresponding with this resource identification according to the resource identification in this resource access request Under access rights resource identifier, first according to and described father's block rule parsing identify corresponding resolution rules and priority rule Father's block corresponding access rights resource is parsed, then identifies according to rule parsing corresponding with the plurality of sub-block and preferential Level rule parses to described sub-block corresponding access rights resource, obtains the resource access rule set for described resource.

1003rd, receiving device returns to access equipment according to access equipment mark, access operation instruction and access rule set Return resource access response.

As follows is to describe, with XML language, the example that access rights as shown above provide accessRightID.

In example as implied above, the access rights of this resource are by access rights resource<ar1>,<ar2>,<ar3>,<ar4>, <ar5>,<ar6>With<ar7>Common description, when access equipment sends to this resource and accesses operation requests read operation to be carried out, Receiving device obtains the daughter element interpretation of rules resolveMode's of " authority is quoted " (i.e. permissionsRef) element first Value " RFC3530 " (i.e. rule parsing is designated RFC3530).Then according to the RFC3530 specification of this rule parsing mark instruction Parsing is for the access rule set of this resource.RFC3530 specification analysis mode has priority requirement to access rights resource, because This receiving device reads the priority priority attribute of imports element, carries out prioritization according to this property value size, The priority priority property value of last imports is 3 herein, therefore first to the access in this imports element Authority resource is parsed, and followed by first imports element is parsed, because this imports element Priority property value is 2, is finally that middle imports element is parsed, because this imports element Priority property value is 1, to the analysis mode of imports element then according to indicated by the value of daughter element resolveMode Analysis mode is carried out.Finally, judge whether requestor can carry out read operation to this resource according to the access rule set after parsing, And respond.

It should be noted that middleware is made refusal or is allowed response and not always touch after strictly all rules parsing finishes Send out, but be triggered immediately when the resource access request judging this access equipment does not meet access rule.

So that access rights resource identification directly or indirectly points to multiple access rights resources as a example another to the present invention below The resource access method of embodiment is described further.

The present embodiment, and the access rights resource identifier of resource is by multiple direct or indirect sensing access rights resource marks Know and constitute, indirectly implication refers to that access rights resource identification not points to access rights resource itself.

For example, and the access rights of resource associations directly or indirectly point to access rights resource identification structure by zero or more Become.The accessRightID attribute of such as setting resource Resource is " http://m2m.op.com/containers/< container1>；http://m2m.op.com/containers/<container2>/accessRightID；http:// m2m.op.com/accessRights/<ar5>", the access rights representing this resource are by resource http://m2m.op.com/ containers/<container1>Access rights resource, resource http://m2m.op.com/containers/< container2>Access rights resource indicated by accessRightID and access rights resource http:// m2m.op.com/accessRights/<ar5>Common description.

When access equipment carries out read operation to resource Resource, receiving device is according to the access rights resource solution of acquiescence Analysis rule, parses first<ar5>Whether the access main body collection of access rule set afterwards comprises requestor, if exist and its allow Access operation set and comprise read operation, then allow requestor to carry out read operation to this resource, if in the access operation set of its permission not Comprise read operation, then do not allow requestor to carry out read operation to this resource.

If parsing<ar5>The access main body collection of access rule set afterwards be not no comprise requestor, then continue resolving resource< container2>Access rights resource indicated by accessRightID, until all of access rights resource all parsed Finish.It should be noted that in parsing " http://m2m.op.com/containers/<container2>/ During accessRightID ", receiving device also needs to foundationhttp://m2m.op.com/containers/<container2>/ accessRightIDThis access rights resource identifier is parsed.In parsing http://m2m.op.com/ containers/<container1>When, middleware needs to readhttp://m2m.op.com/containers/< container1>This access rights resource identifier of the accessRightID of indication resource is parsed.Additionally, being directed to< container2>Access rights resource indicated by accessRightID with<container1>Access rights resource, due to It is not provided with resolveMode in this example, therefore the access rights resolution rules using acquiescence.

The resource access device of one embodiment of the invention is described below, as shown in figure 11, this resource access device includes：If Put unit 1101, for being configured to the access rights resource identifier of resource, make the access rights resource mark of described resource Know symbol and include at least two resource access rights marks, described resource access rights mark points to access rights resource；1102 connect Receive unit, for receiving the resource access request of access equipment, described resource access request includes access equipment mark and resource Access operation；1103 acquiring units, for obtaining the access rights resource identification in the access rights identifier of described resource, root According to described access rights resource identification read access authority resource；According to default resolution rules, described access rights resource is entered Row parsing, obtains the resource access rule set for described resource；1104 response units, for accessing rule according to described resource Collection and described access equipment mark respond described access equipment resource access request.

Wherein, arranging unit 1101 includes as shown in figure 12：

Receiving subelement 11011, for receiving the setting request of the access rights resource identifier to resource, described setting Request includes at least two resource access rights marks being introduced into；

Setting subelement 11012, the access to described resource is asked in the described setting for being received according to receiving subelement Authority resource identifier is configured, make the access rights resource identifier of described resource include described at least two be introduced into Resource access rights identify.

Acquiring unit is shown as shown in figure 13, including：

First acquisition unit, 11031 are used for obtaining the access rights resource mark in the access rights identifier of described resource Know, according to described access rights resource identification read access authority resource；

Second acquisition unit 11032, identifies corresponding resolution rules to described access rights according to described rule parsing Resource is parsed, and obtains the resource access rule set for described resource.

3rd acquiring unit 11033, for according to described access rights resource prioritization rule and with described rule parsing Identify corresponding resolution rules described access rights resource is parsed, obtain the resource for described resource and access rule Collection.

4th acquiring unit 11034, for first identifying corresponding resolution rules to institute according to described father's block rule parsing State access rights resource to be parsed, then corresponding to described sub-block according to rule parsing mark corresponding with the plurality of sub-block Access rights resource parsed, obtain for described resource resource access rule set.

5th acquiring unit 11035, for first according to and described father's block rule parsing identify corresponding resolution rules and excellent First level rule parses to described access rights resource, then according to rule parsing mark corresponding with the plurality of sub-block and Priority rule parses to described sub-block corresponding access rights resource, obtains the resource for described resource and accesses rule Collection.

6th acquiring unit 11036, for obtaining access rights resource ground according to described dereference authority resource identification Location, according to described access rights resource address read access authority resource.

It should be noted that the resource access device of the embodiment of the present invention can be M2M terminal, M2M platform or M2M net Close.

The resource access device of the embodiment of the present invention as implied above, is visited to resource by the main body having resource distribution authority Ask that the access rights resource identifier of the resource in device is configured, the access rights resource identification of other resources is added to So that resource access device can obtain related access rights according to this access rights resource identification in access rights resource identifier Resource, thus realize the mutual succession of the access rights resource between each resource so that the access rights of resource can be with being continued The modification of the access rights of the resource held and voluntarily adjust, improve resource access rights the efficiency of management, meanwhile, visit can be improved Ask the utilization rate of authority resource memory space, save memory space.

Figure 14 is the structural representation of another resource access device provided in an embodiment of the present invention, including memorizer 1401, With processor 1402.Wherein memorizer 1401 is used for storing each unit described in Figure 11-13, processor 1402 and memorizer 1401 connections, each unit in run memory 1401 executes the corresponding function of each unit in memorizer 1401.Store in Figure 14 The function phase of each unit in the function of each unit and Figure 11-13 in device 1401 is with the embodiment of the present invention will not be described in detail herein.

The embodiment of the processing function of each unit comprising in the above-mentioned device for resource access is in method before Have been described above in embodiment, here is not repeated to describe.Additionally, in M2M network, M2M platform can be each computer, have The equipment of processor.M2M gateway and M2M terminal do not have strict differentiation on equipment, and the equipment such as doing gateway can also be made For terminal, various terminal equipment in addition, such as mobile phone, computer, PDA, notebook computer, remote controllers, household electrical appliance, various Instrument and meter, sensor etc. can serve as gateway or the terminal of M2M network.In said units embodiment, included is each Individual unit is simply divided according to function logic, but is not limited to above-mentioned division, as long as being capable of corresponding work( Can；In addition, the specific name of each functional unit, also only to facilitate mutual distinguish, is not limited to the guarantor of the present invention Shield scope.Above-mentioned realization all can be by M2M gateway or M2M to the function of the method for charging and each functional unit of the device of charging The processor of platform runs each unit and completes.

One of ordinary skill in the art will appreciate that realizing all or part of flow process in above-described embodiment method, it is permissible Instruct related hardware to complete by computer program, above-mentioned program can be stored in a computer read/write memory medium In, this program is upon execution, it may include as the flow process of the embodiment of above-mentioned each method.Wherein, above-mentioned storage medium can be magnetic Dish, CD, read-only memory (ROM：) or random access memory (RAM Read-OnlyMemory：Random Access Memory) etc..

In sum, these are only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention. All any modification, equivalent substitution and improvement within the spirit and principles in the present invention, made etc., should be included in the present invention's Within protection domain.

Claims

1. a kind of resource access method being applied to M2M is it is characterised in that include：

Receive the resource access request of access equipment, described resource access request includes access equipment mark, accesses resource identification And resource access operations instruction；

Obtained and described at least two access rights moneys accessing the corresponding resource of resource identification according to the described resource identification that accesses Source identifies, and reads the access rights money of each access rights resource identification instruction according to described at least two access rights resource identifications Source；

According to resolution rules and described access rights resource for described resource, determine the access rule for described resource Collection；

Described access equipment is responded according to described access rule set and described device identification and the instruction of described resource access operations Resource access request.

2. the method for claim 1 is it is characterised in that the method further includes：

Receive the setting request of the access rights to described resource, described setting request includes at least two access rights resources Mark；

Described resource access rights are directed to according to described at least two access rights resource identifications setting.

3. method as claimed in claim 2 is it is characterised in that also including rule parsing mark in described setting request, described According to resolution rules and described access rights resource for described resource, determine the access rule set for described resource, bag Include：

According to identifying corresponding resolution rules with described rule parsing, described access rights resource is parsed, obtain and be directed to institute State the access rule set of resource.

4. method as claimed in claim 3 is it is characterised in that also include access rights resource prioritization in described setting request Rule, described basis is directed to the resolution rules of described resource and described access rights resource, determines the access for described resource Rule set, including：

Identify corresponding resolution rules according to described access rights resource prioritization rule with described rule parsing to described visit Ask that authority resource is parsed, obtain the access rule set for described resource.

5. method as claimed in claim 3 is it is characterised in that also include to multiple access rights resources in described setting request Carry out piecemeal, make described multiple access rights resource include access rights resource father's block and multiple sub-blocks corresponding with this father's block, Described father's block and multiple sub-blocks corresponding with this father's block all include corresponding rule parsing mark, and described basis is directed to described resource Resolution rules and described access rights resource, determine the access rule set for described resource, including：

First according to described father's block rule parsing corresponding resolution rules of mark, described access rights resource is parsed, then According to rule parsing mark corresponding with the plurality of sub-block, described sub-block corresponding access rights resource is parsed, obtain Access rule set for described resource.

6. method as claimed in claim 5 is it is characterised in that also include the priority of father's block and sub-block in described setting request Rule, described basis is directed to the resolution rules of described resource and described access rights resource, determines the access for described resource Rule set, including：

First identify corresponding resolution rules and priority rule to described access rights resource according to described father's block rule parsing Parsed, then identified corresponding resolution rules and priority rule to described son according to the plurality of sub-block rule parsing Block corresponding access rights resource is parsed, and obtains the resource access rule set for described resource.

7. the method as described in any one of claim 3-6 it is characterised in that described setting request to include at least two indirect Access rights resource identification, described basis is directed to the resolution rules of described resource and described access rights resource, determines and is directed to institute State the access rule set of resource, including：

Obtain access rights resource address according to described dereference authority resource identification, according to described access rights resource address Read access authority resource；

8. the method for claim 1 is it is characterised in that described access rule set includes accessing main body collection and leads with accessing Body corresponding access operation set, described refers to according to described access rule set and described device identification and described resource access operations Show the resource access request responding described access equipment, including：

If described access equipment is mated with described access main body collection, and the indicated access operation of described resource access operations instruction Mate with described access operation set, then allow described access equipment to access described resource；

If described access equipment is mismatched with described access main body collection, or described access equipment and described access main body collection Join, but the indicated operation that accesses of described resource access operations instruction is mismatched with the access operation set of described access equipment, then Refuse described access equipment and access described resource；

If described access equipment is mated with described access main body collection, but the access operation set of described access equipment is "None", then refuse All kinds of access operation requests of this access equipment exhausted.

9. a kind of resource access device being applied to M2M is it is characterised in that include：

Receiving unit, for receiving the resource access request of access equipment, described resource access request include access equipment mark, Access resource identification and resource access operations instruction；

Acquiring unit, for obtaining with the described access corresponding resource of resource identification at least two according to the described resource identification that accesses Individual access rights resource identification, reads each access rights resource identification instruction according to described at least two access rights resource identifications Access rights resource；It is additionally operable to, according to resolution rules and the described access rights resource for described resource, determine and be directed to institute State the access rule set of resource；

Response unit, for according to described access rule set and described device identification and the instruction response of described resource access operations The resource access request of described access equipment.

10. device as claimed in claim 9 is it is characterised in that described device also includes：

Arranging unit, for being configured to the access rights of described resource, described arranging unit includes：

Receiving subelement, for receiving the setting request of the access rights to described resource, described setting request is included at least Two access rights resource identifications；

Setting subelement, the access rights resource mark to described resource is asked in the described setting for being received according to receiving subelement Know symbol be configured, make the access rights resource identifier of described resource include described at least two access rights resource identifications.

11. devices as claimed in claim 10 it is characterised in that described receiving subelement specifically for：

Receive the setting request of the access rights to described resource, in described setting request, also include rule parsing mark, Described acquiring unit includes：

First acquisition unit, for obtaining at least two access rights resource marks in the access rights identifier of described resource Know, according to described access rights resource identification read access authority resource respectively；

Second acquisition unit, solves to described access rights resource according to identifying corresponding resolution rules with described rule parsing Analysis, obtains the access rule set for described resource.

12. devices as claimed in claim 10 it is characterised in that described receiving subelement also particularly useful for：

Receive the access rights setting request to described resource, in described setting request, also include access rights resource prioritization rule Then, described acquiring unit also includes：

3rd acquiring unit, for regular and corresponding with described rule parsing mark according to described access rights resource prioritization Resolution rules parse to described access rights resource, obtain the access rule set for described resource.

13. devices as claimed in claim 11 it is characterised in that described receiving subelement also particularly useful for：

Receive the setting request of the access rights to described resource, also include to multiple access rights resources in described setting request Carry out piecemeal, make described multiple access rights resource include access rights resource father's block and multiple sub-blocks corresponding with this father's block, Described father's block and multiple sub-blocks corresponding with this father's block all include corresponding rule parsing mark, and described acquiring unit also includes：

4th acquiring unit, for first identifying corresponding resolution rules to described access rights according to described father's block rule parsing Resource is parsed, and then identifies to described sub-block corresponding access rights according to rule parsing corresponding with the plurality of sub-block Resource is parsed, and obtains the access rule set for described resource.

14. devices as claimed in claim 13 it is characterised in that described receiving subelement also particularly useful for：

Receive the setting request of the access rights to described resource, also include father's block in described setting request and sub-block is respective excellent First level rule, described acquiring unit also includes the 5th acquiring unit, for first according to corresponding with described father's block rule parsing mark Resolution rules and priority rule described access rights resource is parsed, then according to corresponding with the plurality of sub-block Rule parsing mark and priority rule parse to described sub-block corresponding access rights resource, obtain and are directed to described resource Access rule set.

15. devices as described in any one of claim 10-14 it is characterised in that described receiving subelement also particularly useful for：

Receive the setting request of the access rights to resource, described setting request includes at least two dereference authority resources Mark, described acquiring unit also includes the 6th acquiring unit, accesses for obtaining according to described dereference authority resource identification Authority resource address, according to described access rights resource address read access authority resource；

16. devices as claimed in claim 9 it is characterised in that described response unit specifically for：

If described access equipment is mated with described access main body collection, and the indicated access operation of described resource access operations instruction Mate with the access operation set of described access equipment, then allow described access equipment to access described resource；

If described access equipment is mismatched with described access main body collection, or described access equipment is mated with described access main body collection But described resource access operations are mismatched with described access operation set, then refuse described access equipment and access described resource；

17. devices as described in claim 9-14,16 any one are it is characterised in that described device includes：M2M terminal, M2M Platform and M2M gateway.