[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN105827574B - A kind of file access system, method and device - Google Patents

A kind of file access system, method and device Download PDF

Info

Publication number
CN105827574B
CN105827574B CN201510007385.9A CN201510007385A CN105827574B CN 105827574 B CN105827574 B CN 105827574B CN 201510007385 A CN201510007385 A CN 201510007385A CN 105827574 B CN105827574 B CN 105827574B
Authority
CN
China
Prior art keywords
file
server
access
terminal
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510007385.9A
Other languages
Chinese (zh)
Other versions
CN105827574A (en
Inventor
冀文
杜雪涛
薛珊
陈涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Design Institute Co Ltd
Original Assignee
China Mobile Group Design Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Design Institute Co Ltd filed Critical China Mobile Group Design Institute Co Ltd
Priority to CN201510007385.9A priority Critical patent/CN105827574B/en
Publication of CN105827574A publication Critical patent/CN105827574A/en
Application granted granted Critical
Publication of CN105827574B publication Critical patent/CN105827574B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of file access system, method and device, the byte incoming terminal of accessed file is effectively prevented, improves the safety of accessed file.It includes terminal, system client and server of the system that this document, which accesses system,;Terminal, for sending the access request for carrying file identification ID, and the file that the display server of the system is opened to system client;System client, the access request for carrying file ID for forwarding terminal transmission is to server of the system, and the file that the access server of the system of the virtual channel by establishing between server of the system is opened, and shows for the terminal;Server of the system, from the corresponding relationship of the file ID of storage and file path, obtains the corresponding file path of the file ID carried in the access request for receiving the access request;It determines the file that the file path obtained is directed toward, determining file is opened using local application program.

Description

A kind of file access system, method and device
Technical field
The present invention relates to technical field of network security more particularly to a kind of file access systems, method and device.
Background technique
In intranet, user information data, sell data etc. and be usually distributed in the form of electronic document and Storage, for example, the communications industry, in order to realize precision marketing, processing customer complaint, analysis of carrying on the work, business department may need Obtain customer data.If taking no action to protect these data, the batch export customer data in the form of electronic document It will leak.Therefore, it is necessary to corresponding technologies to prevent to the unwarranted access of electronic document and use.
In general, the solution taken for electronic document leakage is usually to set up between company intranet and extranets Firewall or intruding detection system.But after sensitive document is accessed or authorized user touches, these methods then no longer have There is protective effect, because attacker may be authorized user in many cases.Other methods such as limit the matchmaker of user's computer Body is mobile, may make troubles to the work of user, also increases the workload of system and maintenance;Or pass through detection mail Breath carries out information filtering, but if sensitive document is encrypted or obscured by attacker, then cannot effectively detect;Existing DRM (Digital Rights Management, digital copyright protection system) also has relatively strong in terms of protecting enterprise's sensitive document Effect, but authorized user touch be file true content, once attacker by permission detect verify, then should The information of document may still be got compromised.Therefore, existing file access method still has the poor problem of safety.
Summary of the invention
The embodiment of the present invention provides a kind of file access system, method and device, to solve existing file access side The poor problem of safety existing for formula.
A kind of file access system, the file access system include terminal, system client and server of the system;
The terminal, for sending the access request for carrying file identification ID, and display to the system client The file that the server of the system is opened;
The system client, the access request for carrying file ID for forwarding the terminal to send is to the system Server-side, and the file that the access server of the system of the virtual channel by establishing between server of the system is opened, for described Terminal is shown;
The server of the system is closed for receiving the access request from the file ID of storage is corresponding with file path In system, the corresponding file path of the file ID carried in the access request is obtained;Determine that the file path obtained is directed toward File, use local application program to open determining file.
A kind of file access method, which comprises
The access request for carrying file identification ID for carrying out self terminal of receiving system client terminal forwarding;
From in the corresponding relationship of the file ID of storage and file path, the file ID pair carried in the access request is obtained The file path answered;
It determines the file that the file path obtained is directed toward, determining file is opened using local application program, with So that the system client is accessed the file that server of the system is opened by the virtual channel established between server of the system, supplies The terminal is shown.
A kind of file access method, the file access method include:
The access request for carrying file ID that forwarding terminal is sent is to the server of the system, so that the system service End determining file is opened using local application program according to the file ID;
The file that server of the system is opened is accessed by the virtual channel established between server of the system, for the terminal Display.
A kind of file access equipment, the file access equipment include:
Receiving module, the access for carrying file identification ID for carrying out self terminal for receiving system client terminal forwarding are asked It asks;
File path obtains module, for obtaining the visit from the corresponding relationship of the file ID of storage and file path Ask the corresponding file path of file ID carried in request;
File Open module, the file being directed toward for determining the file path obtained, uses local application program Determining file is opened, is taken so that the system client accesses system by the virtual channel established between server of the system The file for end opening of being engaged in, shows for the terminal.
A kind of file access equipment, the file access equipment include:
Forwarding module, the access request for carrying file ID sent for forwarding terminal to the server of the system, with Make the server of the system according to the file ID, determining file is opened using local application program;
Access modules access the text that server of the system is opened for the virtual channel by establishing between server of the system Part is shown for the terminal.
In the scheme of the embodiment of the present invention, file access system is made of terminal, system client and server of the system, It is forwarded by access request of the system client to terminal, and utilizes the application of server of the system in server of the system Program opens file represented by the file ID that carries in access request, eventually by system client by server of the system and The file that virtual channel access between system client is opened, shows for terminal, should be beaten by virtual channel access It the file opened and is shown for terminal, effectively prevents the byte incoming terminal of accessed file.No matter terminal is to the electricity Which kind of operation is subfile carry out, and the application program for opening this document all operates in server of the system, but the use of using terminal The imperceptible difference among these in family, remains to normal operating, is similar to operation at the terminal.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of file access system in the embodiment of the present invention;
Fig. 2 is one of the structural schematic diagram of server of the system in the embodiment of the present invention;
Fig. 3 is one of the structural schematic diagram of system client in the embodiment of the present invention;
Fig. 4 is the structural representation of the server of the system and system client collaboration completion file access during the present invention is implemented Figure;
Fig. 5 is the file access method flow chart of system service end side in the embodiment of the present invention;
Fig. 6 is the file access method flow chart of system users end side in the embodiment of the present invention;
Fig. 7 is the structural schematic diagram of the file access equipment of system service end side in the embodiment of the present invention;
Fig. 8 is the structural schematic diagram of the file access equipment of system users end side in the embodiment of the present invention.
Specific embodiment
In the scheme of the embodiment of the present invention, file access system is made of terminal, system client and server of the system, It is forwarded by access request of the system client to terminal, and utilizes the application of server of the system in server of the system Program opens file represented by the file ID that carries in access request, eventually by system client by server of the system and The file that virtual channel access between system client is opened, shows for terminal, should be beaten by virtual channel access It the file opened and is shown for terminal, effectively prevents the byte incoming terminal of accessed file.No matter terminal is to the electricity Which kind of operation is subfile carry out, and the application program for opening this document all operates in server of the system, but the use of using terminal The imperceptible difference among these in family, remains to normal operating, is similar to operation at the terminal.
The solution of the present invention is described in detail with reference to the accompanying drawing.
It is the file access system in the embodiment of the present invention referring to Fig. 1, the file access system includes terminal 11, is Client 12 of uniting and server of the system 13;
The terminal 11, for sending the access request for carrying file identification ID, Yi Jixian to the system client Show the file that the server of the system is opened;
Specifically, the terminal can send above-mentioned access request to system client by browser, shell-command.
The system client 12, the access request for carrying file ID for forwarding the terminal to send is to the system System server-side, and the file that the access server of the system of the virtual channel by establishing between server of the system is opened, for institute Terminal is stated to show;
The server of the system 13, it is corresponding with file path from the file ID of storage for receiving the access request In relationship, the corresponding file path of the file ID carried in the access request is obtained;Determine that the file path obtained refers to To file, use local application program to open determining file.
In the above scheme, a system client can be multiple terminal services, namely receive what multiple terminals were sent Access request, a server of the system can also be with multiple system client services;
In order to further ensure the safety of file, preferably, also carrying the identity letter of user in the access request Breath;
The system client 12 is also used to authenticate the subscriber identity information, when the authentication is passed, from storage File ID and level of confidentiality corresponding relationship in, the corresponding level of confidentiality of the file ID carried in the access request is obtained, determining When stating the access authority of user represented by subscriber identity information comprising the level of confidentiality of acquisition, taking for the terminal transmission is forwarded Access request with file ID gives the server of the system.The level of confidentiality refers to the grade of file security degree, can be divided into Top-secret, secret and secret;It can in advance be the certain access authority of each user setting, and be stored in system client, in turn When user passes through authentication, the level of confidentiality of the access authority information and file that can use the user of preservation determines that can user visit Ask this document;
More in file, when being stored in multiple servers being connected with server of the system, the server of the system needs The corresponding relationship of storage file ID and server ip and file path, so that when knowing file ID, it may be determined that this document ID institute The IP address of server where the file of expression and the file path in the server that the IP address is directed toward, and then can look for To this document.
By the above-mentioned means, file cannot not only leave file service end, but also the authentication is passed and has in identity information When to the access authority of this document, could successfully it be accessed, the safety in multiple levels for file provides guarantee.
Preferably, the server of the system 13, is also used to before opening determining file using local application program, The identity information is embedded in determining file using digital watermark technology.
In this way, due to being embedded into subscriber identity information in file, and then can be quickly when file is divulged a secret The identity for determining blabber is effectively prevented and the user of file has been accessed file lets out, further ensures text The safety of part.
Preferably, the server of the system 13, the file ID for being also used to carry in obtaining the access request is corresponding After file path, encrypts file ID and corresponding file path and be sent to the system client;
The system client 12 is also used to receive encrypted file ID and corresponding file path, decrypts file ID, the corresponding relationship of file ID and encrypted file path after establishing decryption are receiving terminal for this document ID institute When the operation requests of the acquisition duplicate of the document of the file of expression, after obtaining the corresponding encryption of this document ID in the corresponding relationship File path, encrypted file path is displayed on the terminals.
Here before obtaining the corresponding encrypted file path of this document ID in the corresponding relationship, the system visitor Family end 12 can also determine whether user represented by the user information has according to the identity information of user and obtain to this document The operating right for taking duplicate of the document is just executed when having the operating right for obtaining duplicate of the document for this document from described right It should be related to the corresponding encrypted file path of middle acquisition this document ID, further guarantee the safety of file;
The operation requests of above-mentioned acquisition duplicate of the document can be downloading, duplication, shear or using file as Email attachment etc. Deng operation requests;
In this way, it when system client and server of the system are communicated by network, can be effectively prevented The leakage of file path and file ID, and system client can reply the acquisition of terminal using the file path of the encryption The request of duplicate of the document, that is to say, that user is replicating, shearing or using file as the similar acquisition file such as Email attachment Copy request when, encrypted file path is displayed on the terminals, and terminal local cannot obtain the word about file content Section, further ensures the safety of file.
In addition, when file is stored on multiple servers being connected with server of the system, server of the system system users The corresponding relationship of server ip and file path where end needs storage file ID and file, and then terminal is being received for this article When the operation requests of the acquisition duplicate of the document of file represented by part ID, by the IP address of server where file and encrypted File path returns to terminal together.
After terminal obtains encrypted file path, terminal can use the file path of the encryption to access this article Part, specific access process is: terminal sends the access request for carrying file path to system client, and system client receives The access request for carrying file path is sent to server of the system by the access request for carrying file path of terminal, Server of the system determines file pointed by the file path carried in the access request, and server of the system uses local application Program opens determining file, and system client accesses server of the system by the virtual channel established between server of the system The file of opening is shown for the terminal;
That is, the system client 12, is also used to receive the access request for carrying file path of terminal, will carry There is the access request of file path to be sent to server of the system;
The server of the system 13, is also used to when receiving the access request for carrying file path, determines the access File pointed by the file path carried in request opens determining file using local application program.
In addition, when being accessed to further protect by file path file safety, user identity can also be believed Breath also carries in access request, and system client authenticates the identity information, and server of the system utilizes the user identity Information is compared the level of confidentiality of file ID, and subscriber identity information is embedded in into file, process at this time are as follows: terminal is to being System client sends the access request for carrying file path and subscriber identity information, and system client carries out the identity information Authentication, after the authentication is passed, level of confidentiality corresponding with the ID of the file found to the access authority of the identity information in the access request It is compared, in the corresponding level of confidentiality of ID that the access authority for determining the identity information includes this document, this is carried into file The access request of path and subscriber identity information is sent to server of the system, and server of the system finds text using this document path Part, then open determining file using local application program, and system client between server of the system by establishing Virtual channel accesses the file that server of the system is opened, and shows for the terminal.
System client in the embodiment of the present invention can realize that server of the system can by module as shown in Figure 2 It is realized with being divided by module as shown in Figure 3;
In Fig. 2, system client includes: I/O manager, system documentation processor and client access control components;Its It include shared drive, file filter control interface and system time management module in middle system documentation processor;
The access process in the embodiment of the present invention is illustrated with each module shown in Fig. 3 below in Fig. 2:
Step 1: the browser of terminal is accessed by the I/O manager of system client to the client of system client Control assembly sends account information (account information here is subscriber identity information);
Step 2: client access control components receive the account information, the account information is authenticated, if Authentication does not pass through, then provides prompt information, terminates session operation;If the authentication is passed, third step is executed;
Step 3: client access control components receive terminal carry file ID and the access of subscriber identity information is asked It asks, the corresponding relationship of file ID and level of confidentiality that client access control components system is stored from the shared drive of document processor In, the corresponding level of confidentiality of the file ID carried in the access request is obtained, is determining use represented by the subscriber identity information When the access authority at family includes the level of confidentiality obtained, the 4th step is executed;Otherwise, prompt information is provided, session operation is terminated;
Step 4: above-mentioned access request is sent to system documentation processor by client access control components, and execute the Five steps;
Step 5: the file filter device interface in system documentation processor passes through CIFS (Common Internet File System, universal network file system) above-mentioned access request is sent to the file filter device interface of server of the system by agreement, and Execute step 6:
Step 6: the file filter device of server of the system receives above-mentioned access request, the text stored in memory buffer The text carried in access request is searched in the corresponding relationship of the IP address and file path information of part ID and file place server The IP address and file path information of server where the corresponding file of part ID by file ID and find file place server IP address and the encryption of file path information after be sent to the file filter device interface of system client;System client is held at this time The 7th step of row, server of the system executes the 8th step at the same time or later;
The process of above-mentioned 5th step and the 6th step is as shown in figure 4, in Fig. 4, system client and server of the system pass through net The schematic diagram that network is communicated;Network connection order, and load document mistake are monitored and received to the file filter device interface of server-side Filter, file filter device can filter the file operation requests from server-side file filter interface, will meet setting condition Operation requests carry out being transferred to bottom;
It filters all file operation requests from server-side, such as reads, creation file.From the local system of server System transmits these operation requests to lower level, is not required to make any modification, therefore, file filter device does not influence server of the system application The normal operation of program.
In addition, file filter device has a memory buffer to prevent file content from revealing in server-side, it is every for storing Server ip and file path name where the unique level of confidentiality of a file, file.The data of memory buffer (are compared by cryptographic algorithm Such as, MD5, RC4) encryption after, be copied in output buffer.
Step 7: the system documentation processor of system client receives the file ID and find file that decryption receives The IP address of place server, the file ID after saving decryption, the server ip address after decryption and the file path of encryption letter Breath;Activation system time management module, it is subsequent when open file is not user-operably within the set duration, terminate current meeting It talks about (user operates document again and then needs to re-start authentication);
Step 8: the execution module of server of the system determines clothes where the corresponding file of the file ID carried in access request Be engaged in device IP address and file that file path information is directed toward, and the determining file is sent to the document of server of the system Security protection module;
Step 9: the identity information is embedded in by the document security protective module of server of the system using digital watermark technology In determining file;
Step 10: system execution module opens the file of insertion digital watermarking using local application program;
Step 11: the system documentation processor of system client passes through the virtual channel established between server of the system The file that server of the system is opened is accessed, is shown for the terminal.
So far, the file content shown in terminal can see by the user of above-mentioned access process using terminal;
In above process, system control module is the NT service operated on server of the system account, including system prison Control device and access control management device.The major function of system monitor is to monitor the entire access operation process of file;And to text All operations (including the operations such as opening, modification, printing) of part carry out log recording, provide for enterprise's progress audit of information security Foundation;File filter device in loading system server-side.Access control management device detects the number of activated terminals, prevents from swashing simultaneously Live through more terminals.
In addition, in the present system, end-user access be not sensitive document actual physical content, when a terminal is used Family creates a file A by browser from this system server, since system control module is from the creation of (sensitivity) file With regard to monitoring file, as soon as system monitor separates a thread when newly-increased (sensitivity) file in file directory, text is checked Whether there are file ID file identical with the file ID of the newly-increased file, if there is file identification, system file in shelves server Filter is in the newly-increased file ID plus one for indicating this document ID for duplicate symbol, for example, adding in filename Add " .docf ", and the security level of user's specified file, if file not identical with the newly-increased file ID, system Monitor approval documents content is loaded into.
When user replicates file A, and is saved with the title of file B, storage class is specific type, and the type is only protected The file path for depositing original A can go to search quilt using the file path of the original A saved when system reads this document The file content of protection.
Execution module carries out information exchange since terminal session, based on virtual channel and system client.This virtually leads to Road is session-oriented transport protocol, and in the terminal side of system server, system executor can initialize other application program.? After the completion of execution module and other processing, this terminal session terminates automatically.In terminal session, application program is processed Journey is can not to share with the telecommunication network on other computers, with anti-hacking.
System execution module carries out information exchange since terminal session, based on virtual channel and system client, this is empty Quasi- channel is session-oriented transport protocol, and document is opened by virtual channel.Execution module and other is shown in the page Subprocessing program after the completion of, this terminal session terminates automatically.In the application program treatment process of terminal session, do not allow The telecommunication network accessed on other computers is shared.
Once being connected to access request, execution module decryption reads file ID and file path, is transmitted to access control module. Corresponding application of file is started by access control module, monitors the session until runtime subroutine or closed windows are not Only.Execution module is responsible for the update of receiving system client terminal keyboard data, while loading identical data with a hide window To server of the system keyboard.
Based on the same inventive concept with above-mentioned file access system, the embodiment of the invention also provides a kind of system services The file access method and equipment of end side and a kind of file access method and equipment of system users end side, due to system visitor The principle of the solved problem of the method and apparatus of family end side and system service end side is similar to aforementioned document access system, therefore should The implementation of the method and apparatus of system users end side and system service end side may refer to the implementation of aforementioned document access system, weight Multiple place repeats no more.
It is the file access method schematic diagram of system service end side referring to Fig. 5, comprising the following steps:
Step 501: the access request for carrying file identification ID for carrying out self terminal of receiving system client terminal forwarding;
Step 502: being carried in the access request from obtaining in the corresponding relationship of the file ID of storage and file path The corresponding file path of file ID;
Step 503: determine the file that the file path obtained is directed toward, determining using local application program opening File, so that the system client accesses what server of the system was opened by the virtual channel established between server of the system File is shown for the terminal.
Preferably, before opening determining file using local application program, the method also includes:
The identity information is embedded in determining file using digital watermark technology.
Preferably, the method is also wrapped after the corresponding file path of file ID carried in obtaining the access request It includes:
Encryption file ID and corresponding file path are simultaneously sent to the system client, so that the system client In the operation requests for the acquisition duplicate of the document for being directed to file represented by this document ID for receiving terminal transmission, after encryption File path it is displayed on the terminals.
Preferably, the method also includes:
The access request for carrying file path for carrying out self terminal of receiving system client terminal forwarding;
It determines that this carries file pointed by the file path carried in the access request of file path, uses local Application program opens determining file, so that the system client is visited by the virtual channel established between server of the system It asks the file that server of the system is opened, is shown for the terminal.
It is the file access method schematic diagram of system users end side referring to Fig. 6, comprising the following steps:
Step 601: the access request for carrying file ID that forwarding terminal is sent is to the server of the system, so that described Server of the system opens determining file using local application program according to the file ID;
Step 602: the file that server of the system is opened being accessed by the virtual channel established between server of the system, is supplied The terminal is shown.
Preferably, also carrying the identity information of user in the access request;
Before the access request for carrying file ID that forwarding terminal is sent is to the server of the system, the method is also Include:
The subscriber identity information is authenticated;
When the authentication is passed, from the file ID of storage and the corresponding relationship of level of confidentiality, obtains and carried in the access request The corresponding level of confidentiality of file ID;
Determine user represented by the subscriber identity information access authority whether include acquisition the level of confidentiality;
The access request for carrying file ID that the forwarding terminal is sent is specifically included to the server of the system:
When the access authority for determining user represented by the subscriber identity information includes the level of confidentiality obtained, forwarding The access request for carrying file ID that terminal is sent is to the server of the system.
Preferably, the method also includes:
Encrypted file ID and corresponding file path that server of the system is sent are received, file ID is decrypted, establishes The corresponding relationship of file ID and encrypted file path after decryption;
When receiving operation requests of the terminal for the acquisition duplicate of the document of file represented by this document ID, from described The corresponding encrypted file path of this document ID is obtained in corresponding relationship, and encrypted file path is shown at the terminal Show.
Preferably, the method also includes:
Forwarding carrys out the access request for carrying file path of self terminal to server of the system, so that the server of the system Determining file is opened according to the file path in the access request.
It is the file access equipment schematic diagram of system service end side referring to Fig. 7, the file access of the system service end side is set Standby includes: receiving module 71, file path acquisition module 72 and File Open module 73;Wherein:
Receiving module 71, the access for carrying file identification ID for carrying out self terminal for receiving system client terminal forwarding are asked It asks;
File path obtains module 72, for from the corresponding relationship of the file ID of storage and file path, described in acquisition The corresponding file path of the file ID carried in access request;
File Open module 73, the file being directed toward for determining the file path obtained, uses local application journey Sequence opens determining file, so that the system client accesses system by the virtual channel established between server of the system The file that server-side is opened, shows for the terminal.
Preferably, the file access equipment further include:
It is embedded in module 74, it, will before the file for using local application program opening determination in File Open module The identity information is embedded in determining file using digital watermark technology.
Preferably, the file access equipment further include:
Encrypting module 75, it is corresponding for obtaining the file ID carried in the access request in file path acquisition module After file path, file ID and corresponding file path are encrypted;
Sending module 76, for sending close file ID and corresponding file path to the system client, so that institute The operation that system client is stated in the acquisition duplicate of the document for file represented by this document ID for receiving terminal transmission is asked It is when asking, encrypted file path is displayed on the terminals.
Preferably, the receiving module 71, be also used to receiving system client terminal forwarding carry out self terminal carry file The access request in path;
The File Open module 73 is also used to determine that this carries the file road carried in the access request of file path File pointed by diameter opens determining file using local application program so that the system client by with system The file that the virtual channel access server of the system established between server-side is opened, shows for the terminal.
It is the file access equipment schematic diagram of system users end side referring to Fig. 8, the file access of the system users end side is set Standby includes: forwarding module 81 and access modules 82;Wherein:
Forwarding module 81, the access request for carrying file ID sent for forwarding terminal to the server of the system, So that the server of the system opens determining file using local application program according to the file ID;
Access modules 82 access what server of the system was opened for the virtual channel by establishing between server of the system File is shown for the terminal.
Preferably, also carrying the identity information of user in the access request;The file access equipment further include:
Authentication module 83, the access request for carrying file ID for sending in forwarding terminal is to the server of the system The subscriber identity information is authenticated before;
Level of confidentiality obtains module 84, for obtaining the access request from the corresponding relationship of the file ID of storage and level of confidentiality The corresponding level of confidentiality of the file ID of middle carrying;
Determining module 85, for determining whether the access authority of user represented by the subscriber identity information includes to obtain The level of confidentiality;
The forwarding module 81, specifically in the access authority packet for determining user represented by the subscriber identity information When the level of confidentiality containing acquisition, the access request for carrying file ID that forwarding terminal is sent is to the server of the system.
Preferably, the file access equipment further include:
Receiving module 86, for receiving the encrypted file ID and corresponding file path of server of the system transmission, And terminal is received for the operation requests of the acquisition duplicate of the document of file represented by this document ID;
Corresponding relation building module 87, file ID and encrypted file road for decrypting file ID, after establishing decryption The corresponding relationship of diameter;
Module 88 is obtained, for receiving terminal for the acquisition text of file represented by this document ID in receiving module 86 When the operation requests of part copy, the corresponding encrypted file path of this document ID is obtained from the corresponding relationship, and will add File path after close is displayed on the terminals.
Preferably, the forwarding module 81, is also used to the access request for carrying file path of forwarding terminal to system Server-side, so that the server of the system opens determining file according to the file path in the access request.
In the scheme of the embodiment of the present invention, system client is visiting using its virtual channel between server of the system It asks the file that server of the system is opened, and is shown for terminal, it is therefore prevented that the physics word of authorization or unauthorized user access file Section.And in the case where user accesses less than Document Physical byte, does not change the normal work use habit of user still, have There are higher safety and the transparency.Further, since file does not leave file service always in the file access system of invention End, does not need that file is encrypted and decrypted, therefore, system architecture is compared with existing other document protection IT architectures, energy Greatly reduce the cost of encryption and decryption file and system upgrade, service efficiency and practical value with higher.Further, this hair Document security protection technique is also used in file access system in bright embodiment, in conjunction with making for access authority and operating right With the file comprising capsule information can be effectively prevented and divulge a secret.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is process of the reference according to method, apparatus (system) and computer program product of the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing units to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing units execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing units with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing units, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the application Mind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologies Within, then the application is also intended to include these modifications and variations.

Claims (13)

1. a kind of file access system, which is characterized in that the file access system includes terminal, system client and system clothes Business end;
The terminal, the access for carrying file identification ID and subscriber identity information to system client transmission are asked It asks, and the file that the display server of the system is opened;
The system client, for being authenticated to the subscriber identity information, when the authentication is passed, from the file ID of storage In the corresponding relationship of level of confidentiality, the corresponding level of confidentiality of the file ID carried in the access request is obtained, is determining user's body When the access authority of user represented by part information includes the level of confidentiality obtained, forward the terminal transmission carries file The access request of ID gives the server of the system;And the access system clothes of the virtual channel by being established between server of the system The file for end opening of being engaged in, shows for the terminal;If the file that the server of the system is opened in the first preset duration not by The corresponding user's operation of the access request, then the system client disconnects the access request and the server of the system is beaten The connection for the file opened;
The server of the system, for receiving the access request, from the corresponding relationship of the file ID of storage and file path, Obtain the corresponding file path of the file ID carried in the access request;Determine the text that the file path obtained is directed toward Part opens determining file using local application program;The local application program handles the file of the determination, and During the file for handling the determination, forbid the telecommunication network on the local application program and other computers shared It is attached;
The server of the system after the corresponding file path of file ID for being also used to carry in obtaining the access request, adds Close file ID and corresponding file path are simultaneously sent to the system client;
The system client is also used to receive encrypted file ID and corresponding file path, decrypts file ID, establishes The corresponding relationship of file ID and encrypted file path after decryption is receiving terminal for text represented by this document ID When the operation requests of the acquisition duplicate of the document of part, the corresponding encrypted file road this document ID is obtained from the corresponding relationship Diameter, encrypted file path is displayed on the terminals.
2. file access system as described in claim 1, which is characterized in that the server of the system is also used to using this Before the application program on ground opens determining file, the identity information is embedded in determining file using digital watermark technology In.
3. file access system as described in claim 1, which is characterized in that the system client is also used to forwarding and comes from The access request for carrying file path of terminal is to server of the system;
The server of the system is also used to when receiving the access request for carrying file path, is determined in the access request File pointed by the file path of carrying opens determining file using local application program.
4. a kind of file access method, which is characterized in that the described method includes:
The access request for carrying file identification ID and subscriber identity information for carrying out self terminal of receiving system client terminal forwarding;
From in the corresponding relationship of the file ID of storage and file path, it is corresponding to obtain the file ID carried in the access request File path;
It determines the file that the file path obtained is directed toward, determining file is opened using local application program, so that institute It states system client and the file that server of the system is opened is accessed by the virtual channel established between server of the system, for described Terminal is shown;The local application program handles the file of the determination, and during handling the file of the determination, Forbid the local application program to share with the telecommunication network on other computers to be attached;
Encryption file ID and corresponding file path are simultaneously sent to the system client, so that the system client is connecing When receiving the operation requests for the acquisition duplicate of the document for being directed to file represented by this document ID of terminal transmission, by encrypted text Part path is displayed on the terminals.
5. file access method as claimed in claim 4, which is characterized in that opening determination using local application program Before file, the method also includes:
The identity information is embedded in determining file using digital watermark technology.
6. file access method as claimed in claim 4, which is characterized in that the method also includes:
The access request for carrying file path for carrying out self terminal of receiving system client terminal forwarding;
It determines that this carries file pointed by the file path carried in the access request of file path, uses local application Program opens determining file, so that the system client is by the virtual channel access established between server of the system The file that server-side of uniting is opened, shows for the terminal.
7. a kind of file access method, which is characterized in that the file access method includes:
The subscriber identity information carried in the access request sent to terminal authenticates, when the authentication is passed, from the text of storage In part ID and the corresponding relationship of level of confidentiality, the corresponding level of confidentiality of the file ID carried in the access request is obtained, is determining the use When the access authority of user represented by the identity information of family includes the level of confidentiality obtained, the access request is forwarded to take to system Business end, so that the server of the system uses local application program to open determining file according to the file ID;If described The file that server of the system is opened in the first preset duration not by the corresponding user's operation of the access request, then the system Client disconnects the connection for the file that the access request and the server of the system are opened;
Encrypted file ID and corresponding file path that server of the system is sent are received, file ID is decrypted, establishes decryption The corresponding relationship of file ID and encrypted file path afterwards;
When receiving operation requests of the terminal for the acquisition duplicate of the document of file represented by this document ID, from the correspondence The corresponding encrypted file path of this document ID is obtained in relationship, and encrypted file path is displayed on the terminals;
The file that server of the system is opened is accessed by the virtual channel established between server of the system, it is aobvious for the terminal Show.
8. file access method as claimed in claim 7, which is characterized in that the method also includes:
Forwarding carrys out the access request for carrying file path of self terminal to server of the system so that the server of the system according to File path in the access request opens determining file.
9. a kind of file access equipment, which is characterized in that the file access equipment includes:
Receiving module, for receiving system client terminal forwarding carry out self terminal carry file identification ID and subscriber identity information Access request;
File path obtains module, in the corresponding relationship for file ID and the file path from storage, obtains the visit Ask the corresponding file path of file ID carried in request;
File Open module, the file being directed toward for determining the file path obtained, is opened using local application program Determining file, so that the system client accesses server of the system by the virtual channel established between server of the system The file of opening is shown for the terminal;The local application program handles the file of the determination, and described true handling During fixed file, forbids the local application program to share with the telecommunication network on other computers and be attached;
Encrypting module obtains the corresponding file road of file ID carried in the access request for obtaining module in file path After diameter, file ID and corresponding file path are encrypted;
Sending module, for sending close file ID and corresponding file path to the system client, so that the system Client, will in the operation requests for the acquisition duplicate of the document for being directed to file represented by this document ID for receiving terminal transmission Encrypted file path is displayed on the terminals.
10. file access equipment as claimed in claim 9, which is characterized in that the file access equipment further include:
It is embedded in module, before the file for using local application program opening determination in File Open module, by the body Part use of information digital watermark technology is embedded in determining file.
11. a kind of file access equipment, which is characterized in that the file access equipment includes:
Forwarding module, the access request for carrying file ID for forwarding terminal transmission is to server of the system, so that the system Server-side of uniting opens determining file using local application program according to the file ID;At the local application program Manage the file of the determination, and during handling the file of the determination, forbid the local application program with it is other Telecommunication network on computer, which is shared, to be attached;
Receiving module, for receiving the encrypted file ID and corresponding file path of server of the system transmission, Yi Jijie Terminal is received for the operation requests of the acquisition duplicate of the document of file represented by this document ID;
Corresponding relation building module, for decrypting file ID, pair of file ID and encrypted file path after establishing decryption It should be related to;
Module is obtained, for receiving terminal for the acquisition duplicate of the document of file represented by this document ID in receiving module When operation requests, the corresponding encrypted file path of this document ID is obtained from the corresponding relationship, and by encrypted text Part path is displayed on the terminals;
Access modules access the file that server of the system is opened for the virtual channel by establishing between server of the system, It is shown for the terminal.
12. file access equipment as claimed in claim 11, which is characterized in that also carry user's body in the access request Part information;The file access equipment further include:
Authentication module, for right before the access request for carrying file ID that forwarding terminal is sent is to the server of the system The subscriber identity information is authenticated;And if the server of the system open file in the first preset duration not by institute The corresponding user's operation of access request is stated, then the system client disconnects the access request and the server of the system is opened File connection;
Level of confidentiality obtains module, for obtaining and carrying in the access request from the corresponding relationship of the file ID of storage and level of confidentiality The corresponding level of confidentiality of file ID;
Determining module, for determining whether the access authority of user represented by the subscriber identity information includes described in acquisition Level of confidentiality;
The forwarding module, specifically for including to obtain in the access authority for determining user represented by the subscriber identity information The level of confidentiality when, forwarding terminal send the access request for carrying file ID to the server of the system.
13. file access equipment as claimed in claim 11, which is characterized in that the forwarding module is also used to forwarding and comes from The access request for carrying file path of terminal is to server of the system, so that the server of the system is according to the access request In file path open determining file.
CN201510007385.9A 2015-01-07 2015-01-07 A kind of file access system, method and device Active CN105827574B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510007385.9A CN105827574B (en) 2015-01-07 2015-01-07 A kind of file access system, method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510007385.9A CN105827574B (en) 2015-01-07 2015-01-07 A kind of file access system, method and device

Publications (2)

Publication Number Publication Date
CN105827574A CN105827574A (en) 2016-08-03
CN105827574B true CN105827574B (en) 2019-07-05

Family

ID=56513967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510007385.9A Active CN105827574B (en) 2015-01-07 2015-01-07 A kind of file access system, method and device

Country Status (1)

Country Link
CN (1) CN105827574B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107357922A (en) * 2017-07-21 2017-11-17 郑州云海信息技术有限公司 A kind of NFS of distributed file system accesses auditing method and system
CN108595569B (en) * 2018-04-13 2020-10-23 Oppo广东移动通信有限公司 File path copying method, file path copying device and mobile terminal
CN108897270A (en) * 2018-06-12 2018-11-27 苏州赛腾精密电子股份有限公司 Method for uploading, device, PLC, storage medium and the system of product data
CN110795368A (en) * 2018-08-03 2020-02-14 中兴通讯股份有限公司 Method, device and system for realizing file display, mobile terminal and display terminal
CN109905363B (en) * 2019-01-08 2021-12-03 视联动力信息技术股份有限公司 Network disk access method and device
CN111756680A (en) * 2019-03-29 2020-10-09 华为技术有限公司 Data authentication method and device
CN110781507A (en) * 2019-10-21 2020-02-11 中广核工程有限公司 File authority control method and device, computer equipment and storage medium
CN112434315B (en) * 2020-11-20 2022-09-20 湖南快乐阳光互动娱乐传媒有限公司 Attachment access method, server and access terminal
CN113782122B (en) * 2021-08-09 2024-04-16 中国中医科学院中医药信息研究所 Electronic informed consent method and system
CN113986124B (en) * 2021-10-25 2024-02-23 深信服科技股份有限公司 User configuration file access method, device, equipment and medium
CN114611145B (en) * 2022-03-14 2023-01-06 穗保(广州)科技有限公司 Data security sharing platform based on internet online document

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685076A (en) * 2011-03-16 2012-09-19 中国电信股份有限公司 Online information protection method and device
CN102930225A (en) * 2012-10-25 2013-02-13 中国航天科工集团第二研究院七〇六所 Electronic document access control method based on confidential identifier
CN103607460A (en) * 2013-11-20 2014-02-26 曙光信息产业(北京)有限公司 Centralization calculating processing system
CN103870761A (en) * 2012-12-11 2014-06-18 深圳市深信服电子科技有限公司 Leak prevention method and device based on local virtual environment
CN104090913A (en) * 2014-06-10 2014-10-08 深圳市深信服电子科技有限公司 File operation method and device based on thin client

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140019525A1 (en) * 2011-03-29 2014-01-16 Nec Corporation Virtual desktop system, network processing device, and management method and management program thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685076A (en) * 2011-03-16 2012-09-19 中国电信股份有限公司 Online information protection method and device
CN102930225A (en) * 2012-10-25 2013-02-13 中国航天科工集团第二研究院七〇六所 Electronic document access control method based on confidential identifier
CN103870761A (en) * 2012-12-11 2014-06-18 深圳市深信服电子科技有限公司 Leak prevention method and device based on local virtual environment
CN103607460A (en) * 2013-11-20 2014-02-26 曙光信息产业(北京)有限公司 Centralization calculating processing system
CN104090913A (en) * 2014-06-10 2014-10-08 深圳市深信服电子科技有限公司 File operation method and device based on thin client

Also Published As

Publication number Publication date
CN105827574A (en) 2016-08-03

Similar Documents

Publication Publication Date Title
CN105827574B (en) A kind of file access system, method and device
US7975312B2 (en) Token passing technique for media playback devices
CN109923548A (en) Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process
US6981156B1 (en) Method, server system and device for making safe a communication network
CN109361668A (en) A kind of data trusted transmission method
US20040177248A1 (en) Network connection system
US20070005974A1 (en) Method for transferring encrypted data and information processing system
JP2003228519A (en) Method and architecture for providing pervasive security for digital asset
JP2003330365A (en) Method for distributing/receiving contents
CN103246850A (en) Method and device for processing file
US20170053105A1 (en) Increased security using dynamic watermarking
US10164980B1 (en) Method and apparatus for sharing data from a secured environment
CN112261012A (en) Browser, server and webpage access method
CN107040520B (en) Cloud computing data sharing system and method
CN105740725A (en) File protection method and system
CN202872828U (en) A circulation control system of files
CN107070842B (en) Method and system for authenticating surrounding web applications by embedding web applications
CN106992978A (en) Network safety managing method and server
CN114611124A (en) Method and device for preventing data leakage
CN113901507B (en) Multi-party resource processing method and privacy computing system
KR20020083551A (en) Development and Operation Method of Multiagent Based Multipass User Authentication Systems
KR102042086B1 (en) Module for controlling encryption communication protocol
Phumkaew et al. Android forensic and security assessment for hospital and stock-and-trade applications in thailand
CN106130996A (en) A kind of website attack protection checking system and method
KR20150074128A (en) Method for downloading at least one software component onto a computing device, and associated computer program product, computing device and computer system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant