Nothing Special   »   [go: up one dir, main page]

CN116415222B - Authorization management method and system for cloud design platform of process industrial digital factory - Google Patents

Authorization management method and system for cloud design platform of process industrial digital factory Download PDF

Info

Publication number
CN116415222B
CN116415222B CN202310513350.7A CN202310513350A CN116415222B CN 116415222 B CN116415222 B CN 116415222B CN 202310513350 A CN202310513350 A CN 202310513350A CN 116415222 B CN116415222 B CN 116415222B
Authority
CN
China
Prior art keywords
software
certificate
user
authorization
license server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310513350.7A
Other languages
Chinese (zh)
Other versions
CN116415222A (en
Inventor
冯强
李洁
黄毅
石宁宁
汤天羽
刘鹏军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Design & Digital Technology Services Inc
Original Assignee
Design & Digital Technology Services Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Design & Digital Technology Services Inc filed Critical Design & Digital Technology Services Inc
Priority to CN202310513350.7A priority Critical patent/CN116415222B/en
Publication of CN116415222A publication Critical patent/CN116415222A/en
Application granted granted Critical
Publication of CN116415222B publication Critical patent/CN116415222B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The authorization management method of the cloud design platform of the process industrial digital factory adopts a License server to carry out authorization management on order software of the cloud collaborative design platform, and after authentication is passed, a user obtains a certificate with unit duration, and the certificate is used up and re-used until the client lease duration is exhausted; in the License server, the authentication service and the authorization service are decoupled through LIC engine bridging; the authentication service is invoked by an authentication module of the software. An authorization management system using the authorization management method, comprising: license server, license module of software and CRM system interface. The License server provides various services for authorization management; the License module of the software is used for realizing the authentication of the software; the CRM system interface is used to interface with the CRM system to synchronize the user's order information. The invention integrates authorization and authentication services and provides flexible and unified license management flow.

Description

Authorization management method and system for cloud design platform of process industrial digital factory
Technical Field
The invention belongs to the technical field of industrial Internet, and particularly relates to an authorization management system of a cloud design platform of a process industrial digital factory.
Background
Industrial intelligence is a trend of the development of productivity at the present stage, and digitization is the basis of industrial intelligence, so that the digitization transformation of the process industry is imperative and urgent. Because the process industry is often large in scale, a plurality of professions are involved, the integration level and the complexity are very high, and designers of different professions and different subjects are required to work cooperatively in digital transformation. Meanwhile, based on the consideration of aspects such as profession, cost, labor and the like, more and more digital transformation work is outsourced to a design main body with higher professional degree and efficiency. Thus, cloud-based collaborative design platforms are large in their way. A feature of such platforms is that a variety of design software ("rented" software) is provided at the cloud, and the user selects and uses the desired software ("rented" software) in the virtual desktop. The part consuming more computing resources, such as the operation of software, is in the cloud, so that the requirements of hardware equipment are not very strict for users. At the same time, the user does not purchase various design software because of less usage.
However, the platform often has the following problems when managing the license of various design software:
(1) Authorization of the platform software cannot be centrally managed. The platform needs to deploy design software of a plurality of different manufacturers, different professions and even different versions according to the design requirements of users, and different authorization modes are realized according to the use situation of the users, and a plurality of collaborative design platforms cannot integrate the design requirements of a plurality of users on a plurality of software, so that the difficulty and the workload of platform license management are increased.
(2) A personalized use environment cannot be provided. Users often use more than one piece of software on a platform, and even need to jump back between the pieces of software during operation, which can undoubtedly affect the user experience and the working efficiency if the platform software is accessed individually by linking.
(3) Design software cannot be used as needed. The process industry design software is large and expensive, and a set of tens of millions of yuan is common. Many software is authorized according to the validity period instead of the actual use time, so that idle software resources are wasted. This can greatly increase the software cost of the enterprise, which is more burdensome to individual users.
(4) Sales business and software cannot be decoupled. If the sales (or authorization) service cannot be stripped from the software authentication code, the software needs to generate a different version whenever the sales mode changes, which undoubtedly increases the workload of version management and development.
(5) The use state of the user cannot be mastered in real time. If the use information of the software cannot be comprehensively counted, it is difficult for software enterprises and clients to conduct effective decision analysis based on the dimensions of user preference, software positioning, trend change and the like. This would be detrimental to the software enterprise in improving return on investment and also to the customers in improving availability of purchased software.
Therefore, there is a need for a management system that can solve the current authorization problem of co-design cloud platform software.
Disclosure of Invention
For the problems existing in the prior art, the invention provides a solution of an LIC engine, a certificate slice and a virtual desktop so as to realize flexible, easy-to-use and efficient authorization management of a cloud design platform. The design idea is as follows:
as shown in fig. 1, the present invention is used for performing authorization management on design software to be rented/sold in a process industrial digital factory cloud design platform. The software realizes authentication through the authentication service of the license server of the technical scheme, the authentication service is based on the authorization service, and the authentication service and the authorization service are decoupled through an LIC engine; the user can access the web virtual desktop through the browser at the terminal to use design software, and the software is distributed by a virtual desktop server of the platform.
The specific design is as follows:
1. abstract LIC engine
The License server mainly provides authorization and authentication services for the software of the cloud co-design platform, but the authentication services are not directly associated with the authorization services, but are decoupled by means of an LIC engine "bridging".
As shown in fig. 2, when the authorization service authorizes based on the order, the following certificate information is generated for the rental software:
(1) Authorization requirements: the extension class object is packaged in the order entity, and comprises order information and customizable extension information, wherein the flexibility of the authorization information is ensured by the extension class object.
(2) Authorization code: a string of 64-bit codes is used as the unique identification code of the authorized software and contains information such as the company code, the software code, the version number, the contract number and the like of the order.
(3) Key information: the package custom asymmetric key class includes: key size, key algorithm, public key information and private key information. The key information corresponds to the authorization code one by one and is used for encrypting/decrypting the license certificate.
When the software is authenticated, the registration is performed firstly, namely, the host information, the user information and the authorization code are encoded to generate registration codes and are uploaded to the server by calling the registration service of the LIC engine.
After receiving the registration code, the License server calls the "authorization" service "to extend" the certificate information, adds the client host information and the user information contained in the registration code into the registration code to form complete certificate information, and submits the complete certificate information to the LIC engine.
The LIC engine uses "reflection resolution" to convert the credential information into key-value pairs in the form of authentication readable strings, which is the key to separate authorization and authentication. Rather than directly generating the certificate with the certificate information, the LIC generates the certificate with a key that can be generated with arbitrary certificate information for the string, meaning that the authorized certificate information can be changed arbitrarily, the LIC engine can generate and parse the certificate through its class structure.
The software "generates certificates" and "check certificates" based on the LIC engine through an "online authentication" service. The generation certificate is certificate information in the form of one of the encrypted character strings of the key pair in the certificate information, and a digital certificate is generated. The verification certificate is the other decryption certificate of the key pair, and then is verified through the key value pair.
2. Distributed certificate slicing
After the platform authorizes the software rented by the client, the client can use a plurality of users at the same time, and each user can use at different terminals, so the invention adopts a certificate slicing mechanism, and each user can obtain a certificate with unit time length after authentication, and the certificate is used up and re-used until the renting time length of the client is exhausted.
As shown in fig. 2, the design principle of the certificate slice is as follows:
(1) After the platform authorizes the software of the client, the user can log in to use through the allocated account number.
(2) If the terminal uses the software for the first time, the authorization code registration provided by the copyright manufacturer needs to be input. During registration, the license server acquires host information of the client, codes together with the authorization code to generate a registration code, returns the registration code to the user, and stores the returned registration code in the local place of the user (the path is configured in software). When the user logs in later, the software automatically submits the registration code (but not the authorization code) to the server, and then directly verifies the certificate slice.
(3) After registration, the license server generates a slice of certificates, by which is meant that the license certificate for online authorization is not issued at one time, but is developed in portions at a fixed period (configurable at the server) until the duration of the software rented by the client is exhausted.
(4) When verifying the certificate slice, license service can process the verification result differently:
if the user is not authorized, the software will exit the system and alert the user.
If the certificate has expired, the system will continue to determine if there is more time remaining: the duration is exhausted, the user is reminded that the purchased duration is exhausted, and the login fails; the duration remains, reminds the user whether to restart a charging period, and the license server generates a new slice certificate after the client agrees.
If the certificate has not expired, a list of software functions, an encrypted Token (temporary) and a registration code (if first logged in), the returned Token being stored in the user's cookie, the returned list of functions determining the functions that the user can use after logging in the software.
(5) When a user uses the software, the software periodically sends Token check certificate slices to the license server to determine whether the Token check certificate slices are still valid.
(6) When a user uses the software, the software also periodically sends a Token to the server to verify whether the certificate is expired or not in order to ensure the use safety.
3. Virtual web desktop
As shown in fig. 4, the platform deploys all design software in the application server cluster at one time, the virtual desktop server creates a virtual desktop according to the usage scenario of the user role through the virtualization software (e.g., citrix), and distributes each software in the virtual desktop as required, and the user can open the virtual desktop through the browser and use the software therein.
The invention has the beneficial effects that
The LIC engine with high abstraction completely decouples specific authorization business from program codes, can adapt to complex and changeable market demands, and provides consistent authorization flow and operation interfaces for orders of different software, different clients and different sales schemes. For example, user types may support trial and formal; the charging mode can support on-demand (time, times, number of machines of the client host) and one-time; authentication modes may support online and offline. These different requirements can be combined arbitrarily, but the implementation is transparent to the user and even to the developer. The method and the system have the advantages that when the software company is authorized, developers can execute license management of various software orders on a unified interface only by expanding the authorization requirement class of the license system and even modifying codes, so that the workload of the developers is greatly reduced, and the use experience of users of the license system is improved.
The distributed certificate slices distribute the whole authorization to be used as required, so that the flexibility of online authorization management can be greatly improved. After the client purchases the use duration of the software, a plurality of users can use the software, each user can use the software at different terminals, and in order to ensure that each user of the client can use the software at any terminal according to the needs, the management system can distribute a slicing certificate with unit duration according to the user and the login terminal thereof so as to share the total purchase duration of the client until the sharing duration is exhausted. More bread is sold to the customer than the merchant, the customer is in home, and the merchant can design a plurality of bread slices according to the specifications of the bread, and the customer can pick up the bread by using the roll (namely the slice certificate) no matter where the customer is, until the roll is used up. The advantage of this is that the customer's family can eat the bread as required, the merchant can also know how much they eat where (being convenient for counting the customer's consumption habits), and the cost of making a slice of bread and a coupon, the customer's counterfeiting can also be higher.
The virtual web desktop can conveniently realize personalized customization of the user, the user can enter the virtual work desktop of the user only by opening the browser, and the user can use the virtual work desktop by opening the software on the virtual desktop like the user's own computer, so that the user experience is simple and friendly. All software is uniformly deployed, configured and managed by the virtual desktop server, namely, no matter how many times the software appears in the virtual desktop, only one set of software is required to be deployed by the platform, so that purchasing and operating costs are greatly reduced.
All authorization processes can be recorded in the system, and the use state and the use behavior of the software user can be monitored in real time, so that the distribution and the use habit (such as the use time, the place and the frequency) of the software user can be analyzed, and decision support is provided for the operation of a company.
In addition, the invention also realizes the decoupling of the license server and the software through the open interface. The authentication module is added to the autonomous software when the software is modified. And the plug-in for the secondary authentication is added to outsourcing software, so that the code invasiveness is very small, and the workload of software development can be greatly reduced.
When engineering is realized, the system of the invention can provide an open API interface, integrate authorization and authentication service in a loose coupling mode, provide flexible and unified license management flow, and realize high-efficiency collaboration of each role in the system, thereby realizing full life cycle management of software authorization. Meanwhile, the complete information flow can provide effective service reminding and decision analysis for software enterprises and clients after statistics.
Drawings
FIG. 1 is a schematic diagram of an application scenario (design concept) of the system;
FIG. 2 is a schematic diagram of an LIC engine design in the present solution;
FIG. 3 is a schematic diagram of a certificate slice design in the present solution;
FIG. 4 is a schematic diagram of a virtual desktop design in the present solution;
FIG. 5 is a business flow diagram in an example;
FIG. 6 is a system block diagram in an example;
FIG. 7 is a schematic diagram of an authorization implementation in an example;
FIG. 8 is a schematic diagram of an authentication-login implementation in an example;
fig. 9 is a schematic diagram of an authentication-verification implementation in an example.
Detailed Description
The method adopts a License server to carry out authorization management on order software of a cloud collaborative design platform, and after authentication is passed, a user obtains a certificate with unit duration, and the certificate is used up and re-used until the client lease duration is exhausted;
in the License server, the authentication service and the authorization service are decoupled through LIC engine bridging; the authentication service is invoked by an authentication module of the software;
1. the authorization service is: generating a certificate for the software when the order software is authorized;
2. the authentication service is as follows: when the order software is authenticated, it is determined,
firstly, a registration service in an LIC engine encodes client host information, user information and a software authorization code to generate a registration code and uploads the registration code to a License server;
when the License server receives the registration code, the License server expands the certificate information by the authorization service, adds the client host information and the user information in the registration code into the certificate information to form complete certificate information, and submits the complete certificate information to the LIC engine;
then, the LIC engine uses reflection analysis technique to convert the certificate information into the key value pair in the form of character string readable by the authentication module of the software;
the certificate and verification certificate are then generated by the LIC engine.
Certificates of unit duration are referred to as certificate slices;
1) After the platform authorizes the software of the user, the user can log in to use through the allocated account;
2) If the terminal of the user has the registration code, the step 3) is carried out;
if the user's terminal uses the software for the first time, it needs to input the authorization code registration provided by the copyright manufacturer; during registration, the License server acquires host information of the client, codes together with the authorization code to generate a registration code, returns the registration code to the user, stores the returned registration code in the local of the user, and simultaneously generates a certificate slice;
3) Verifying the certificate slice by the license server;
4) The license server carries out different treatments on the verification result:
if the user is not authorized, the software exits the system and reminds the user;
if the certificate slice is expired, continuing to judge whether the rest time length exists; if the time length is exhausted, reminding the user that the purchased time length is exhausted and that the login is failed; if the duration is remained, reminding the user whether to restart a charging period, and generating a new slice certificate by the license server after the client agrees;
if the certificate slice is not expired, returning a software function list, an encrypted Token and a registration code, wherein the returned Token is stored in a cookie of the user, and the returned function list determines functions which can be used by the user after logging in the software;
5) When the user uses the software, the software periodically sends Token to the license server to verify whether the certificate slice is still valid and expired.
The certificate information comprises authorization requirements, authorization codes and key information, wherein the key information corresponds to the authorization codes one by one and is used for encrypting/decrypting the license certificates.
In the authentication service, the generation certificate is certificate information in the form of one of the encrypted character strings of the key pair in the certificate information, and the certificate is generated; the verification certificate is the other decryption certificate of the key pair through which verification is performed.
The present invention will be described in detail below by taking a digital co-design platform license management system (hereinafter referred to as "system") of a certain process industry company as an example:
1. business process design
As shown in fig. 5, the license management business flow of the system is described as follows:
(1) Synchronizing orders: the license server periodically synchronizes the order information that can be authorized from the CRM system (customer management system) on time through an interface.
(2) And (5) allocating an account number: after the authorized personnel sees the order, firstly, the user account number (comprising a user name and a password) of the rented software is distributed according to the order information, so that the user can log in the software for use.
(3) Software authorization: the authorized personnel can configure the extended authorization information on the basis of the system order information to form the final authorization requirement. After authorization, the system automatically generates an asymmetric key pair and an authorization code which are in one-to-one correspondence with the authorization software.
(4) User login: after the software is authorized, the user side can use the software. When the user opens the software to log in on the virtual desktop, uploading user information, a registration code or an authorization code (if not registered) and calling a login interface authentication of the license server. Before the login interface is called, the software firstly judges whether the accessed virtual machine is registered or not, and if not, the software authorization code configured by the virtual machine is uploaded (step 5); if so, the software registration code of the virtual machine will be uploaded (step 6).
(5) Registering a virtual machine: after receiving the software login request, the license server directly verifies the certificate if the registration code is received. Otherwise, the virtual host is registered and a registration code return is generated (step 4). After receiving the registration code, the software stores the registration code in a designated path of the virtual host.
(6) Checking a certificate: if registered, the license server will look up whether a valid certificate exists based on the user name and registration code, and if so, the user can use the software with authorization information.
(7) Generating a certificate: if the certificate is invalid, the license server firstly judges whether the use time length of the client for the software purchase remains, if so, a slice certificate is generated for the user according to the certificate information, the validity period of the slice certificate is a slice time unit (configurable), and then the verification process is carried out. Otherwise, return to the error of "the software purchase duration has been exhausted".
(8) In use, the software can call the verification interface of the license server according to the timing to verify the validity of the certificate in real time.
(9) If the user is not operating for a long period of time in use, the software will call the logout interface of the license server.
(10) If the user turns off the software or goes offline, the software will call the license server's shutdown interface.
(11) The license server will count the user's usage behavior and current state based on the software's service invocation.
2. System design
As shown in fig. 6, the development of this example system is divided into the following modules:
(1) License server, provide License managed various services.
The module adopts a layered architecture, the data layer adopts an orace database, the persistent layer integrates mybatis-plus frames to realize data access of service layer services, the service layer is responsible for realizing logic of the service, and the interface layer provides an API interface of a Restful style based on the service layer.
In the service layer:
the LIC tool provides basic functions used by license;
the LIC engine provides core services of license;
the online/offline service provides license services for specific business scenarios,
other business services provide license-related other services (e.g., vendor management, software version management, software function management, software user management, order management, authorization management, registration host management, license statistics analysis, etc.);
in addition, the business layer also provides various general section management (such as log management, security management and cache management).
(2) And the License module of the software is responsible for realizing the authentication of the software.
(3) The CRM system interface is responsible for interfacing with the CRM to synchronize the customer's order information.
3. Detailed description of the embodiments
1) Authorization implementation logic
As shown in fig. 7, after the system receives the order, it authorizes each order detail (selling (renting) software), and the implementation logic is as follows:
(1) Creating a user account: an account number is created for the user selling (renting) the software, including a user name, password, and role.
(2) Preparing certificate content: initializing a piece of certificate information based on sales information of sold (rented) software, comprising: the software version, the alias, the validity period, the user type, the number of users, the authentication mode, the authorization number, the number unit, the function id list, the user id list and other information are stored in a database.
(3) Preparing a certificate key: a pair of RSA asymmetric key pairs (public key and private key) is created for the software sold (rented) through encryption and decryption tools, and then the RSA asymmetric key pairs are stored in a database in the form of character strings.
(4) Generating an authorization code: after the manufacturer code, the software code, the version number and the order serial number of the sold (leased) software are encoded, a unique identification code of the sold (leased) software, namely an authorization code, is generated, and then the authorization code is written back into the order details.
2) Authentication implementation logic
When providing the online authentication service, the user only needs to input an authorization code for the first login after the software is installed, and the subsequent use only needs to log in normally, and the license module of the software can automatically call the service interface to finish all authentication and statistics. That is, the interaction of the software and license server is completely transparent to the user and is not felt at all by the user. The logic for implementing the on-line license management is described below through implementation of the on-line service interface.
Login service:
as shown in fig. 8, the login service is implemented as follows:
(1) User login: when a user logs in the software, judging whether the software is registered on a host computer or not according to local configuration by a license module of the software, and uploading a configured authorization code and an account number to a server if the software is not registered; if so, uploading the configured registration code together with the account number to the server.
(2) And (3) registering a host: after receiving the software login request, the server can go to (3) for execution if the registration code is received. Otherwise, the client host IP is acquired and recoded together with the authorization code to generate a registration code containing host information, and then the registration code is written into the certificate information. If the client's host first appears, it will be written to the database.
(3) And (3) checking an account: if registered, the server will verify the user's account number first, and the account number will be correct, and will generate a JWT Token, including the user name, registration code, token expiration time (configurable) and signature generated by HMAC256 algorithm.
(4) Checking a certificate: after checking the account, the system searches whether a valid certificate exists according to the user name and the registration code, and if so, returns the function authority (function id list) and Token owned by the user. Otherwise, go to (5) execution.
(5) Generating a certificate: firstly judging whether the use time length of the software purchase is remained, if so, generating a slice certificate for the user according to the certificate information, wherein the validity period of the slice certificate is a slice time unit (configurable), and then returning the function authority (function id list) and Token owned by the user. Otherwise, return to the error of "the software purchase duration has been exhausted".
Verification service:
as shown in fig. 9, the verification service is implemented as follows:
the software, based on security, will periodically submit to the license server the token generated at the time of the previous login to verify the certificate, and the server will decrypt the token after receiving it. the token expires and the server returns an error to alert the user to re-log in. the token is not expired, the server checks the validity of the slice certificate according to the user name and the registration code carried by the token, and if the slice certificate is invalid, the server returns error information to remind the user.
Log-out service:
the user does not operate the software for a long time, and the software logs out and submits a token notification license server.
Closing the service:
when the user closes the software, the software also submits a token notification license server.
And (3) statistics:
all services trigger license statistics events to count user behaviors.
In engineering practice, the sources of design software on a platform are divided into two main types, namely autonomous and outsourcing, and the autonomous software accesses an authentication service of a license server through a self-contained authentication module to realize authentication. The outsourcing software can be invoked after being modified, so that the outsourcing software needs to develop a plug-in for secondary authentication to realize custom authentication. The software authentication only needs to call the license service interface, and the development code quantity is not large.

Claims (10)

1. The authorization management method of the cloud design platform of the process industrial digital factory comprises the steps that a plurality of design software are provided for renting in an application server cluster of the cloud design platform of the process industrial digital factory, and the authorization management method is characterized in that License servers are used for carrying out authorization management on order software of the cloud collaborative design platform, after authentication is passed, a user obtains a certificate with unit duration, and the certificate is used up and is reused until the client renting duration is exhausted;
in the License server, the authentication service and the authorization service are decoupled through LIC engine bridging; the authentication service is invoked by an authentication module of the software;
1. the authorization service is: generating a certificate for the software when the order software is authorized;
2. the authentication service is as follows: when the order software is authenticated, it is determined,
firstly, a registration service in an LIC engine encodes client host information, user information and a software authorization code to generate a registration code and uploads the registration code to a License server;
when the License server receives the registration code, the License server expands the certificate information by the authorization service, adds the client host information and the user information in the registration code into the certificate information to form complete certificate information, and submits the complete certificate information to the LIC engine;
then, the LIC engine uses reflection analysis technique to convert the certificate information into the key value pair in the form of character string readable by the authentication module of the software;
the certificate and verification certificate are then generated by the LIC engine.
2. The authorization management method of the process industrial digital factory cloud design platform according to claim 1, wherein the certificate of unit duration is called a certificate slice;
1) After the platform authorizes the software of the user, the user can log in to use through the allocated account;
2) If the terminal of the user has the registration code, the step 3) is carried out;
if the user's terminal uses the software for the first time, it needs to input the authorization code registration provided by the copyright manufacturer; during registration, the License server acquires host information of the client, codes together with the authorization code to generate a registration code, returns the registration code to the user, stores the returned registration code in the local of the user, and simultaneously generates a certificate slice;
3) Verifying the certificate slice by the license server;
4) The license server carries out different treatments on the verification result:
if the user is not authorized, the software exits the system and reminds the user;
if the certificate slice is expired, continuing to judge whether the rest time length exists; if the time length is exhausted, reminding the user that the purchased time length is exhausted and that the login is failed; if the duration is remained, reminding the user whether to restart a charging period, and generating a new slice certificate by the license server after the client agrees;
if the certificate slice is not expired, returning a software function list, an encrypted Token and a registration code, wherein the returned Token is stored in a cookie of the user, and the returned function list determines functions which can be used by the user after logging in the software;
5) When the user uses the software, the software periodically sends Token to the license server to verify whether the certificate slice is still valid and expired.
3. The method for authorizing and managing a cloud design platform for a process industrial digital plant according to claim 1, wherein the certificate information includes an authorization requirement, an authorization code and key information, the key information corresponds to the authorization code one by one, and is used for encrypting/decrypting the license certificate.
4. The authorization management method for a process industrial digital factory cloud design platform according to claim 3, wherein in the authentication service, the generation certificate is certificate information in the form of one of encrypted character strings of a key pair in the certificate information, and the certificate is generated; the verification certificate is the other decryption certificate of the key pair through which verification is performed.
5. An authorization management system of a process industrial digital factory cloud design platform using the authorization management method according to any one of claims 1 to 4, characterized by comprising: the License server, a License module of the software and a CRM system interface;
1. license server, offer various services of the authorization management; the License server adopts a layered architecture and comprises an interface layer, a service layer, a persistent layer and a data layer; the service layer provides service realization logic; the interface layer provides an APl interface for the service layer; the persistent layer realizes the access of each service of the business layer to the stored data in the data layer;
the business layer comprises an LIC tool, an LIC engine, an online certificate service module, an offline certificate service module, other business service modules and a general section management module, wherein: the LIC tool provides basic functions used by the software authorization permissions; the LIC engine provides core services for software authorization permissions; the online and offline services respectively provide software authorization license services of online or offline business scenes; other business services provide other services related to software licensing;
2. the License module of the software is used for realizing the authentication of the software;
3. the CRM system interface is used for interfacing with the CRM system to synchronize order information of the user;
the software authorization license management business flow of the authorization management system is as follows:
1) Synchronizing orders: the license server synchronizes the authorized order information from the CRM system through the CRM system interface;
2) And (5) allocating an account number: distributing user account numbers of rented software according to order information;
3) Software authorization: configuring extended authorization information on the basis of order information to form a final authorization requirement; after authorization, the authorization management system generates asymmetric key pairs and authorization codes which are in one-to-one correspondence with the authorization software;
4) User login: after the software is authorized, the user side can use the software;
when a user opens the software to log in, uploading user information, a software registration code or a software authorization code; the License module of the software calls a login interface of the License server to authenticate, and judges whether the accessed virtual machine is registered or not:
if not, uploading a software authorization code configured by the virtual machine, and turning to the step 5) to register the virtual machine;
if the virtual machine is registered, uploading a software registration code of the virtual machine, and turning to the step 6) to check the certificate;
5) Registering a virtual machine: after receiving the software login request, the license server directly verifies the certificate if the registration code is received, otherwise, registers the virtual host, generates the registration code and returns to the step 4);
after receiving the registration code, the software stores the registration code in a designated path of the virtual host;
6) Checking a certificate: if the user has registered, the license server searches whether a valid certificate exists according to the user name and the registration code, and if the valid certificate exists, the user uses software according to the authorization information, and the step 8) is performed; if no valid certificate exists, confirming that the certificate is invalid, and turning to the step 7) to generate the certificate;
7) Generating a certificate: the license server first determines whether there is a remaining time for the user to purchase for the software:
if the using time is remained, generating a slice certificate for the user according to the certificate information; returning to the step 6) to verify the certificate;
if the using time is not remained, closing the software;
8) In use, a License module of the software returns to the step 6) by calling a check interface of the License server, and the validity of the certificate is checked in real time;
9) If the user does not operate in the middle and long time of software use, the License module of the software calls a logout interface of the License server;
10 If the user closes the software or goes offline, the License module of the software calls the closing interface of the License server;
11 License server counts the user's usage behavior and current state according to the service call of the software.
6. The system for authorizing and managing a cloud design platform for a process industrial digital factory of claim 5, wherein the license server performs the steps of:
a) Creating a user account: creating an account number for a user of the software, and packaging a user name, a password and a role;
b) Preparing certificate content: initializing a piece of certificate information based on the sales information of the software, wherein the certificate information comprises: software version, alias, validity period, user type, number of users, authentication mode, authorization number, number unit, function id list, user id list information;
then, the data are stored in a database;
c) Preparing a certificate key: creating a pair of RSA asymmetric key pairs for software through an encryption and decryption tool, and then storing the RSA asymmetric key pairs into a database in a form of character strings;
d) Generating an authorization code: after coding the software manufacturer code, the software code, the version number and the software order serial number, generating a software authorization code, wherein the authorization code is a unique identification code of the software;
the authorization code is then written back into the software order.
7. The authorization management system of the process industrial digital factory cloud design platform according to claim 6, wherein the License module of the software is used for realizing the authentication process of the software, and is completed by calling a service interface by the License module of the software; the service interface comprises a login interface, a check interface, a logout interface and a closing interface.
8. The system for authorizing and managing a cloud design platform for a process industrial digital factory according to claim 5, wherein in step 4), after receiving a software login request, the License server checks the account number of the user if a registration code is received; if the registration code is not received, the virtual host IP of the user is obtained and recoded together with the authorization code to generate the registration code containing the virtual host information, and then the registration code is written into the certificate information; if the user's host appears for the first time, it will be written into the database;
the server checks the account number of the user, and if the account number is correct, a Token is generated, wherein the Token comprises a user name, a registration code, token expiration time and a signature.
9. The authorization management system of the process industrial digital factory cloud design platform according to claim 5, wherein in step 6), after the account number is checked, whether a valid certificate exists or not is searched according to a user name and a registration code, and if the valid certificate exists, the function authority and Token owned by the user are returned;
if not, turning to the step 7) to execute the generation of the certificate, in the process of generating the certificate, if the time length of the use purchased by the software is remained, and after a slice certificate is generated, returning the function authority and Token owned by the user.
10. The system for authorizing and managing a process industrial digital factory cloud design platform as recited in claim 5, wherein the verification service provided by invoking the verification interface of the license server is: the software submits a token generated during the previous login to the license server at regular time to verify the certificate; after receiving the message, the server decrypts the token; if the token expires, the license server returns an error to remind the user to log in again; if the token is not expired, the license server verifies the validity of the slice certificate according to the user name and the registration code carried by the token, and if the slice certificate is invalid, the license server returns error information to remind the user;
the login service provided by calling the login interface of the license server is as follows: the user does not operate the software for a long time, and the software logs out and submits a token to notify the license server;
the closing service provided by calling the closing interface of the license server is as follows: when a user closes the software, the software submits a token to notify a license server;
the statistics of the user's use behavior is invoked in step 11) as follows: all services trigger license statistics events to count user behaviors.
CN202310513350.7A 2023-05-09 2023-05-09 Authorization management method and system for cloud design platform of process industrial digital factory Active CN116415222B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310513350.7A CN116415222B (en) 2023-05-09 2023-05-09 Authorization management method and system for cloud design platform of process industrial digital factory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310513350.7A CN116415222B (en) 2023-05-09 2023-05-09 Authorization management method and system for cloud design platform of process industrial digital factory

Publications (2)

Publication Number Publication Date
CN116415222A CN116415222A (en) 2023-07-11
CN116415222B true CN116415222B (en) 2023-10-20

Family

ID=87051223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310513350.7A Active CN116415222B (en) 2023-05-09 2023-05-09 Authorization management method and system for cloud design platform of process industrial digital factory

Country Status (1)

Country Link
CN (1) CN116415222B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117874719B (en) * 2024-03-12 2024-06-04 慧新全智工业互联科技(青岛)有限公司 Method and system for developing industrial software based on low-code platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009061171A2 (en) * 2007-11-09 2009-05-14 Mimos Berhad Secure software licensing control mechanism
CN110996319A (en) * 2019-11-01 2020-04-10 北京握奇智能科技有限公司 System and method for performing activation authorization management on software service
WO2021218331A1 (en) * 2020-04-28 2021-11-04 深圳壹账通智能科技有限公司 Offline software licensing method, apparatus and device, and storage medium
CN114357384A (en) * 2021-12-16 2022-04-15 永中软件股份有限公司 Method, computing device, and computer-readable medium for activating software based on authorization file
CN115357870A (en) * 2022-10-20 2022-11-18 杭州比智科技有限公司 Authorization control method and system based on software

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009061171A2 (en) * 2007-11-09 2009-05-14 Mimos Berhad Secure software licensing control mechanism
CN110996319A (en) * 2019-11-01 2020-04-10 北京握奇智能科技有限公司 System and method for performing activation authorization management on software service
WO2021218331A1 (en) * 2020-04-28 2021-11-04 深圳壹账通智能科技有限公司 Offline software licensing method, apparatus and device, and storage medium
CN114357384A (en) * 2021-12-16 2022-04-15 永中软件股份有限公司 Method, computing device, and computer-readable medium for activating software based on authorization file
CN115357870A (en) * 2022-10-20 2022-11-18 杭州比智科技有限公司 Authorization control method and system based on software

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杨莹莹.通用权限管理系统研究与应用.《硕士电子期刊》.2011,全文. *
胡国良 ; 史海波 ; .基于实时授权的License控制技术在制造执行系统中的应用.制造业自动化.2013,(第08期),全文. *

Also Published As

Publication number Publication date
CN116415222A (en) 2023-07-11

Similar Documents

Publication Publication Date Title
Barati et al. Tracking GDPR compliance in cloud-based service delivery
US11423498B2 (en) Multimedia content player with digital rights management while maintaining privacy of users
CN103563294B (en) Certification and authorization method for cloud computing platform security
US20050289072A1 (en) System for automatic, secure and large scale software license management over any computer network
CN103067169B (en) Application Licensing Authority
CN103714273B (en) A kind of software authorization system and method based on online dynamic authorization
TW201606559A (en) Auditing and permission provisioning mechanisms in a distributed secure asset-management infrastructure
CN108140098A (en) Establish the trust between container
CN108846263B (en) Software authorization processing and running method and device and electronic equipment
JP2022527375A (en) Systems and methods for virtual distributed ledger networks
CN104484620A (en) Method for avoiding false declaration of sales volume and inventory in fast-selling sales management cloud system
CN116415222B (en) Authorization management method and system for cloud design platform of process industrial digital factory
CN111444090A (en) Contract testing method, device, electronic device and storage medium in blockchain
Barati et al. Privacy‐aware cloud ecosystems: Architecture and performance
Huang et al. Framework for building a low-cost, scalable, and secured platform for Web-delivered business services
Dalheimer et al. Genlm: license management for grid and cloud computing environments
CN109413189B (en) Electronic transaction system based on bottom translation
CN111984936A (en) Authorization allocation method, device, server and storage medium
CN112783847B (en) Data sharing method and device
Xing et al. Talaria: A framework for simulation of permissioned blockchains for logistics and beyond
CN107133499B (en) Software copyright protection method, client, server and system
US20140208436A1 (en) Alpha ii license management system
CN113904774A (en) Block chain address authentication method and device and computer equipment
US20080312943A1 (en) Method And System For Data Product License-Modification Coupons
Toapanta et al. Proposal of a model to apply hyperledger in digital identity solutions in a public organization of Ecuador

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant