CN100334833C - Method for using server resources by client via a network - Google Patents
Method for using server resources by client via a network Download PDFInfo
- Publication number
- CN100334833C CN100334833C CNB2004100425008A CN200410042500A CN100334833C CN 100334833 C CN100334833 C CN 100334833C CN B2004100425008 A CNB2004100425008 A CN B2004100425008A CN 200410042500 A CN200410042500 A CN 200410042500A CN 100334833 C CN100334833 C CN 100334833C
- Authority
- CN
- China
- Prior art keywords
- service
- client
- session
- request
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 230000004044 response Effects 0.000 claims abstract description 73
- 230000007246 mechanism Effects 0.000 claims abstract description 38
- 230000008569 process Effects 0.000 claims abstract description 28
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 7
- 238000010200 validation analysis Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 4
- 241001269238 Data Species 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 claims description 2
- 239000000344 soap Substances 0.000 description 13
- 230000027455 binding Effects 0.000 description 5
- 238000009739 binding Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 description 3
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention relates to a method for using resources at a service terminal by a client terminal in a network, which is executed on the basis that the equipment at the client terminal and the service terminal are found mutually. The method comprises that: detailed service information is acquired by the client terminal in the process of acquiring of a request for detailed service information and returning a response for detailed service information between the client terminal and the service terminal; when a security mechanism is in a safe service state, a session is established between the client terminal and the service terminal in the process of sending a session creation request and replying a session creation response; the service terminal authenticates the client terminal and controls the concurrency access of the client terminal according to the concurrency supporting capacity of the service; the client terminal calls service by a service calling mechanism previously specified according to an interface described in a service description file of the service; the client terminal or the service terminal sends a session removing notification message to the terminal at the other party so as to break the session. The method of the present invention enables the client terminal to call service of the service terminal in an agreement mode, so that resource sharing can be realized.
Description
Technical field
The present invention relates to the service technology of computer network resources, relate to the method for client use service end on the network or rather.Information equipment resource-sharing and cooperation with service (IGRS: intelligent packet and resource-sharing) equipment by intelligence interconnection and networking after, equipment can externally be issued the resource on the miscellaneous equipment in own resource and the shared network by service form of the present invention in the network, the inventive method is through service describing, session management and service invocation procedure, makes on the network client arbitrarily all can use Service Source in the network.
Background technology
Number of patent application is 02117334.6, denomination of invention is " a kind of dynamic group net is to realize the method for resource-sharing ", number of patent application is 02129533.6, denomination of invention is for " method for discovering equipment when realizing dynamic group net in the home network " and number of patent application are 02129532.8, denomination of invention is in when realization resource-sharing " in the home network service renting and authorization method ", discloses the method for a kind of dynamic group net and resource-sharing.So-called resource-sharing is meant that the service on the IGRS equipment can be issued the resource that self can provide to network, and the client on the IGRS equipment also can find and use the resource that service provided on other IGRS equipment simultaneously.This service is one of Gong resources shared entity by the IGRS equipment control, but externally shows as the one group of method that can call and one group of events subscribed.Client on the IGRS equipment can use service with these incidents of subscription by calling these methods.
Existing client in the equipment group, on the network equipment uses service method to have two kinds substantially, and a kind of is to use when having asset management device in the equipment group, and another kind is to use when not having asset management device in the equipment group.When having asset management device in the equipment group, send the authorized application request message by service use equipment to asset management device, the beginning authorized application; Asset management device sends the authorized application response message that has the authorized application result to service use equipment; The service of obtaining the authorization uses equipment to send the service renting request message to service providing device, beginning service renting process.When not having asset management device in the network, use equipment to send the service renting request message, beginning service renting process to service providing device by the service of setting up good equity connection; The service providing device that receives the service renting request message is made according to the current virtual condition that is requested rental service and is agreed or disagree with that renting of renting reply; Obtain agreeing to rent the service of replying and use equipment, use the service that service providing device provided.When having asset management device certainly in network, any two equipment in the network also can be realized resource-sharing by equity connection, service renting process.
These two kinds service employment mechanisms, precondition is must have asset management device in the network, perhaps wishes to obtain the use equipment of service and provide equipment room need set up reciprocity annexation, implementation procedure relative complex and loaded down with trivial details in advance; Because how the operation, the service that do not have prior clearly service to be provided are called and serve to be positioned at and where wait, make the client call service in addition in the mode of agreement; After the client finds service, how about realize service access control and how to pass through the use of service call mechanism realization service.
Summary of the invention
The objective of the invention is to design the method for client use service end resource on a kind of network, whether there is not asset management device in the tube apparatus group, also no matter service providing device uses equipment room whether to set up reciprocity annexation in advance with service, after the interconnected and networking of IGRS device intelligence, carry out service describing of the present invention, session management and service invocation procedure, promptly set up session by service describing with between client place equipment and service end place equipment, client just can be carried out service call to service end in the mode of agreement then, realizes resource-sharing.
Service describing of the present invention is the detailed description to service, describes the element of service each side, comprises operation, the service of how calling and service position etc. that service provides, makes the client call service in the mode of agreement by service describing.After session management of the present invention is meant the client terminal to discover service, can set up the back-up environment that follow-up service is visited by conversation mechanism, conversation mechanism is realized service access control from user list two aspects of client place equipment and service place equipment room relation and service permission visit.After service call of the present invention is meant and sets up session between client and service end, should be according to serving the interface of in service description document, describing, by the use of service call mechanism realization to serving of regulation.Client of the present invention and service end can be on the same physical equipment, also can be on the different physical equipments.
The technical scheme that realizes the object of the invention is such: client is used the method for service end resource on a kind of network, and client device and server device are found mutually through service discovery process, be it is characterized in that:
A. client is by initiating " obtaining the Service Detail request ", with service end by returning " obtain Service Detail response " process, make client obtain Service Detail, clear and definite requesting party and request object in " obtaining the Service Detail request ", in " obtaining the Service Detail response ", provide the service description document of this request object, the required details of service call are described in service in service description document, comprising Access Control List (ACL) strategy and the employed service safe mechanism of Authentication Client identity and the parameter of this service;
B. client is judged service safe mechanism, when the service safe mechanism of describing is " no service safe ", and direct execution in step D, otherwise execution in step C;
C. client is by initiating " conversation establishing request ", with service end by returning " conversation establishing response " process, between client and service end, create session, service end is according to the facility information of the client of obtaining in the conversation establishing process, corresponding client identity and user authentication information, access rights to the client authenticate, and according to the concurrent tenability of service the client are carried out concurrent access control simultaneously;
D. client adopts the service call mechanism of predesignating that service is called according to serve the interface of describing in service description document.
In step B, execution in step C creates session between client and service end when the service safe mechanism of describing is " service safe ", and behind execution of step D, execution in step E;
E. by client or service end to square end is sent the session teardown notification message, disconnect the session between client and service end, the ending resource use.And in step B, when the service safe mechanism of describing was " no service safe ", directly execution in step D because do not create session, also just need not to carry out the session teardown step.
The method that the present invention uses by the service of design IGRS equipment room, make IGRS equipment after intelligence interconnection and networking, by obtaining Service Detail, conversation establishing and service invocation procedure, make the client on the equipment use service (or the service on this equipment) on another equipment easily in the mode of agreement, process is simple and quick.
Description of drawings
Fig. 1 is the service use schematic flow sheet of client device of the present invention and server device;
Fig. 2 is the implementing procedure of a service use of the present invention;
Fig. 3 is the general session process flow diagram of client device of the present invention and server device;
Fig. 4 be in the master-slave equipment group service access control with the equipment pipe security attribute conversation procedure flow chart when inconsistent.
Embodiment
Notions such as the IGRS equipment that relates in the inventive method, IGRS service, equipment group, master-slave equipment group, equipment pipe, session, user, use the corresponding definition in " information equipment resource-sharing cooperation with service (IGRS) basic agreement standard ", service discovery mechanisms and service leasing mechanism are disclosed in respectively in Chinese patent application 02129533.6, " method for discovering equipment when realizing dynamic group net in the home network " and Chinese patent application 02129532.8, " service renting and the authorization method when realizing resource-sharing in the home network ".
IGRS method of servicing of the present invention relates to service describing, three parts of session management and service call, and the relation between the three is as shown in Figure 1.
It at first is service discovery (1).Can adopt by disclosed discovery mechanism or other service discovery mechanisms in Chinese patent application 02129533.6, " method for discovering equipment when realizing dynamic group net in the home network ", realize service discovery, pass through service discovery process, equipment has obtained simple information on services on the network on the network, and client device and server device are found mutually.
Be to obtain Service Detail (2) then.Obtain Service Detail by initiating " obtaining the Service Detail request " with " obtaining the Service Detail response " process between device clients and device service end, this Service Detail comprises host-host protocol, service call interface, service calling method and the call parameters and the service data type etc. of service position, support.
Be conversation establishing (3) more then.Create session by initiating " conversation establishing request " with " conversation establishing response " process between device clients and device service end, make server device obtain the facility information of client device, client identity and reach and client authenticated etc.
Be that (4) are used in service more then.Through the device clients of server side authentication,, adopt the machine-processed use that realizes service of the service call of predesignating in service description document according to the interface that service is described.
Be session teardown (5) at last, the arbitrary end equipment of device clients and device service end sends session teardown notification message, the session between off device client and device service end, conversation end to opposite equip..
Need to prove:, when the service safe mechanism of describing is " service safe ", needs between client and service end, to create session, and after service is used, carry out session teardown, the ending resource use if when obtaining Service Detail.If when obtaining Service Detail, when the service safe mechanism of describing is " no service safe ", needn't create session and directly serve use, after finishing using the ending resource use, because do not create session, also just need not to carry out the session teardown step.
Referring to Fig. 2, be that client uses the service of service end resource on the equipment 2 to use the specific implementation process on the equipment 1.
Step a, service discovery.The IGRS client can be found the IGRS service on the network by intercepting the IGRS service on-line declaration message on the network, obtains some essential informations, comprise the IP address of type, this equipment of IGRS service place equipment and this equipment with information on services etc.
Step b obtains Service Detail request and step c, obtains the Service Detail response.The IGRS client obtains corresponding IGRS Service Detail by " obtaining Service Detail responds " of initiating " obtaining the Service Detail request " and accepting service end.Clear and definite requesting party (client) and request object (service end) in " obtaining the Service Detail request ", provide the service description document of required service in " obtaining the Service Detail response ", the required details of service call are described in service in service description document.
Step b wherein, the service description document of clear and definite acquisition request in request.The message format of service description document request can have the various definitions mode, is a kind of preferred embodiments wherein shown in the table 1, and type of message is Get Service Description Request (obtaining the service description document request).Give outbound message and message field explanation thereof in the table, explanation is the Optional Field of indispensable field or suggestion respectively.
Table 1
</entry></row></tbody></tgroup></table></tables>
Wherein step c obtains the Service Detail response.Receive the equipment that obtains the service description document request message, should return and obtain the service description document response message.The service description document that comprises this service in the response message, service are issued self Access Control List (ACL) strategy (ACL) and employed mechanism of authenticating user identification and parameter (service safe mechanism) to this service in service description document.The message format of response message can have the various definitions mode, is a kind of preferred embodiments wherein shown in the table 2.Give outbound message and message field explanation thereof in the table, explanation is the Optional Field of indispensable field or suggestion respectively.
Table 2
Message | The message field explanation |
HTTP/1.1200 OK (message header) | The HTTP order line |
CONTENT-LENGTH: message body content length | Indispensable field |
Content-type:text/xml; charset=utf-8Content-type:text/xml; charset=utf-8;charset=utf-8 | Indispensable field |
CONTENT-LANGUAGE: document description language | Contain the ACCEPT-LANGUAGE field in and if only if the request message, then this field is indispensable field, and the language description rule is seen RFC1766 |
Ext: | Indispensable field |
Cache-control:no-cache=”Ext” | Indispensable field |
MAN:”http://www.igrs.org/spec1.0”;ns=01 | Indispensable field |
01-IGRSVersion:IGRS/1.0 | Indispensable field |
01-IGRSMessageType:GetServiceDescriptionRe sponse | Indispensable field, content must be so |
01-AcknowledgeId: equipment pipe sequence of response messages number | Indispensable field, 32 unsignedInt of type are identical with SequenceId in the request message |
01-SourceDeviceId: the service place device identifier of initiating this response | Indispensable field, type is uri |
01-TargetDeviceId: target device identifier | Indispensable field, type is uri |
MAN:” http://schemas.xmlsoap.org/soap/envelope/ ”;ns=02 | Indispensable field |
02-SoapAction:” IGRS-GetServiceDescription-Response” | Indispensable field |
<SOAP-ENV:Envelope xmlns:SOAP-ENV=″http://schemas.xmlsoap.org /soap/envelope/″ SOAP-ENV:encodingStyle=″http://schemas.xml soap.org/soap/encoding/″> | Indispensable field |
<SOAP-ENV:Body> | Indispensable field |
<DeviceOperation?xmlns= “http://www.igrs.org/spec1.0”> | Indispensable field |
<ClientId> | Indispensable field, type is 32 |
Message | The message field explanation |
Send the voip identifiers of obtaining the service describing request</ClientId | UnsignedInt |
<ServiceId〉respond service identifier</ServiceId | Indispensable field, type is 32 unsignedInt |
<AcknowledgeId〉obtain service description document response sequence number</AcknowledgeId | Indispensable field, type is 32 unsignedInt, and is identical with SequenceId corresponding in the request message. |
<ReturnCode〉obtain service describing responsive state sign indicating number</ReturnCode | Indispensable field |
<ServiceDescription〉service description document</ServiceDescription 〉 | Service describing based on IGRS service describing template structure |
</DeviceOperation 〉 | Indispensable field |
</SOAP-ENV:Body 〉 | Indispensable field |
</SOAP-ENV:Envelope 〉 | Indispensable field |
Annotate: upright letters is represented specified content in the message definition, and italics represents specifically to insert the prompting of content. |
About " service description document " in the table, IGRS service adopts WSDL1.1 service describing standard to describe the element of service each side, comprises host-host protocol, service call interface, service calling method and the call parameters of service position, support and service data type (parameter type of the required operation parameter of service call) etc.IGRS service describing standard of the present invention has been formulated the special agreement of describing the IGRS service under the prerequisite that meets the WSDL1.1 standard, comprising: based on the transmission binding of equipment pipe; With definition service standard interface two aspects.
IGRS service of the present invention has increased a kind of new host-host protocol-IGRS equipment pipe based on equipment pipe in its service describing mechanism, expand the host-host protocol binding based on WSDL1.1.Should be expansion based on the transmission binding of equipment pipe to the SOAP binding, determine according to: transport=" http://www.igrs.org/igrs/igrspipe ", all stipulate by the IGRS agreement by host-host protocol, serialization mode and the coded system of the Bindings part appointment of IGRS service description document.
Service call interface of the present invention comprises the User Defined interface and by the standard interface of information equipment resource-sharing and cooperation with service IGRS standard definition.Thereby the present invention uses for the IGRS service provides standard interface that service data is exposed to service requester.Here the service data of indication comprises service state data and some static service datas, and general length is less, and does not comprise multi-medium data.For avoiding when using service data, need in each service, doing the trouble of defining operation, use standard interface for using service data to define service data in the IGRS service describing standard, come corresponding with various standard operations.Only need call on demand during use and needn't define again, promptly by calling the standard interface that defines in the IGRS standard, the user can use service data.The standard interface of IGRS service support comprises service data query interface, service data change events subscribing interface and service data variation event notification interface.
The IGRS service expands to IGRS port Type with the port Type of WSDL, has defined the daughter element that is called as service Data in IGRS port Type, is used for defining service data.The Notifiable attribute of service data is defined as whether should producing notification message when service data changes, and is defaulted as and does not produce notification message.The initial value that is defined as the service data element of static data can usually be provided with by the static Service Data Values unit among the portType.
Service data query interface in the standard interface of IGRS service support, its content that comprises is: defined the method find Service Data to the service data inquiry in the IGRS service describing standard.Comprise an inquiry request message and a query response message in the Find Service Data method.Comprise a query expression in the inquiry request message, this query expression comprises is operating as findService Data By Names, the service data title of the element that expression formula comprises for inquiring about.The object information or the query failure message that comprise successful inquiring in the query response message, the service data element in the Query Result should comprise return code corresponding to the service data title that will inquire about in the query requests in the Query Result.
Service data change events subscribing interface in the standard interface of IGRS service support, its content that comprises is: defined the method for subscribing subscribe that service data is changed in the IGRS service describing standard, this method is subscribed to trigger event notice when the service data of service goal changes.Comprise a subscription request message and a subscription response message in the subscribe method.Comprise subscribe request expression formula (subscribe Expression), subscription identifier (subscription Id), notification target address (location) and subscription concluding time (expiration Time) in the subscription request message for this subscription service distribution.The subscribe request expression formula comprises is operating as subscribeServiceDataByNames, and the service data title of the element that expression formula comprises for subscribing to can trigger the events corresponding notice when this service data changes.The notification target address is the address of service of sending subscribe request.Comprise subscription identifier (subscription Id), subscription concluding time (termination Time) and return code (return Code) that this service is subscribed in the subscription response message.Still want to renew one's subscription if this time subscribe to subscribe request side, end back, subscribe request side should send subscribe request again according to subscription identifier.The Service events subscriber also can cancel subscriptions.Make mistakes and in the return code of response message, to represent error message if subscribe to.
Service data change events notification interface in the standard interface of IGRS service support, its content that comprises is: defined the event notice operation sendNotification that service data is changed in the IGRS service describing standard.After the service data change events subscribed to, when service data changes, subscribe to the recipient and should send a notification message to subscribe request side, notification message content comprises title, numerical value and the subscription identifier of all service datas of having subscribed to, even have only the part service data that variation has taken place, subscribing to the recipient also needs to send a notification message to subscribe request side.This operation does not require that subscribe request side returns response message.
Steps d, conversation establishing request and step e, conversation establishing response.Conversation establishing request and conversation establishing response have constituted session management.
IGRS client is by obtaining the description of target IGRS service, the security mechanism that obtains this service is described, if the security mechanism of this service is described as IGRS:ServiceSecurity:NULL (no service safe), the client who then visits this service does not need elder generation and service to set up session.If it is not IGRS:ServiceSecurity:NULL that the security mechanism of service is described, then before this service of visit, the client should set up session with service.
Conversation procedure comprise the control of service access in general session process and the master-slave equipment group with the equipment pipe security attribute conversation procedure when inconsistent.
IGRS client can set up the back-up environment of follow-up service visit after finding service on the target IGRS equipment by service discovery mechanisms by conversation mechanism on the equipment pipe basis.Authenticating user identification in the conversation establishing process is a unilateral authentication, promptly by the server side authentication client.The IGRS service can concern from the equipment room of IGRS client place equipment and this service place equipment and should serve two dimensions realizations of the user list service access control that allows visit.In the conversation establishing stage, the concurrent visit quantity that the IGRS service can be provided with maximum service call controls concurrent service access.
The relation of IGRS equipment room comprises: whether client device and server device are in the same equipment group; Whether IGRS client place equipment is the credible equipment of IGRS service place equipment; With IGRS client place equipment whether be the appointment credible equipment of IGRS service place equipment.Satisfy above-mentioned one or the multinomial dimension that then satisfies one of them realization service access control.
IGRS serves place equipment, sets up in session and obtains IGRS client place facility information, corresponding user identity and user authentication information in the process.According to the above-mentioned information check IGRS client's who obtains access rights, the concurrent tenability according to the IGRS service realizes concurrent control simultaneously.Between synchronization IGRS client and IGRS service, can only there be a session.Operations such as after session was set up successfully, IGRS client just can call the IGRS service, data query.After IGRS client finishes use to the IGRS service, IGRS client can disconnect and the IGRS service between session.
A kind of certificate Token (identity that Token is mainly used in the conversation establishing process is differentiated) that represent certain particular trusted attribute of generation such as corresponding access control description during client is described according to destination service, authentication mechanism and authentication, cryptographic algorithm, and send the request of setting up session with this service to destination service place equipment, the message format of this request message can have the various definitions mode, being a kind of preferred embodiments wherein shown in the table 3, is the message format of general session request to create message.Give outbound message and message field explanation thereof in the table, description messages is the Optional Field of indispensable field or suggestion respectively.
Table 3
Message | The message field explanation |
M-POST/IGRS?HTTP/1.1 | Expansion HTTP order line |
HOST: destination host IP: port | Indispensable field |
01-IGRSVersion:IGRS/1.0 | Indispensable field, IGRS version number |
01-IGRSMessageType:CreateSessionRequest | Indispensable field, content must be so |
01-TargetDeviceId: target device identifier | Indispensable field, type is uri |
01-SourceDeviceId: source device identifier | Indispensable field, type is uri |
01-SequenceId: equipment pipe message request sequence number | Indispensable field, type is 32 unsignedInt |
Content-type:text/xml; charset=utf-8Content-type:text/xml; | Indispensable field |
</entry></row></tbody></tgroup></table></tables>
Among the step e, receive the conversation establishing request of client device at service providing end equipment after, according to the user identifier in the request message, authentification of user algorithm, the certificate Token in the request message is carried out validation verification.If checking is effectively then returned the conversation establishing success response to client device, otherwise, a conversation establishing failure response returned.Response message format can have the various definitions mode, and table 4 provides the preferred embodiments that general session is created response message.To the explanation of outbound message and message field, comprise the selection field of indispensable field and suggestion in the table.
Table 4
Message | The message field explanation |
HTTP/1.1200?OK | The HTTP order line |
Ext: | Indispensable field |
Cache-conntrol:no-cache=”Ext” | Indispensable field |
01-IGRSVersion:IGRS/1.0 | Indispensable field, IGRS version number |
01-IGRSMessageType:CreateSessionResponse | Indispensable field, content must be so |
01-TargetDeviceId: target device identifier | Indispensable field, type is uri |
01-SourceDeviceId: source device identifier | Indispensable field, type is uri |
01-AcknowledgeId: equipment pipe response sequence number | Indispensable field, type is 32 unsignedInt, and is identical with equipment pipe Sequenceld in the request message |
Content-type:text/xml; charset=utf-8Content-type:text/xml; charset=utf-8;charset=utf-8 | Indispensable field |
Content-length: message body length | Indispensable field |
MAN:”http://www.igrs.org/session”;ns=01 | Indispensable field |
MAN:?” http://schemas.xmlsoap.org/soap/envelope/ ”;ns=02 | Indispensable field |
02-SoapActionn:” IGRS-CreateSession-Response” | Indispensable field |
<SOAP-ENV:Envelope xmlns:SOAP-ENV=″http://schemas.xmlsoap.org /soap/envelope/″ SOAP-ENV:encodingStyle=″http://schemas.xml soap.org/soap/encoding/″> | Indispensable field |
<SOAP-ENV:Body> | Indispensable field |
<DeviceOperation?xmlns= “http://www.igrs.org/spec1.0”> | Indispensable field |
<sourceServiceId>The source service identifier</SourceServiceId> | Indispensable field, type is 32 unsignedInt |
<targetClientId>Target customer's identifier</TargetClientId> | Indispensable field, type is 32 unsignedInt |
<targetUserId>Targeted customer's identifier</TargetUserId> | Indispensable field, type is string |
<acknowledgeId>Response sequence number</AcknowledgeId> | Indispensable field, type is 32 unsignedInt, and is identical with SequenceId in the request message body |
<ReturnCode〉create the responsive state sign indicating number of conversation procedure | Indispensable field |
Message | The message field explanation |
</ReturnCode 〉 | |
</DeviceOperation 〉 | Indispensable field |
</SOAP-ENV:Body 〉 | Indispensable field |
</SOAP-ENV:Envelope 〉 | Indispensable field |
Annotate: upright letters is represented specified content in the message definition, and italics represents specifically to insert the prompting of content. |
In conjunction with the general session process is described referring to Fig. 3.
Step a, b, c are with operating among Fig. 2 among Fig. 3, and steps d 1 is conversation establishing request and conversation establishing response process with e1.The operation of step g and step h is with step g among Fig. 2 and h.
The conversation establishing request of steps d 1, be the certificate Token that generations such as corresponding access control description in being described according to destination service by client, authentication mechanism and authentication encryption algorithm are used for certain particular trusted attribute of expression of conversation establishing process identity discriminating, and send the request of setting up session with this service to destination service place equipment.
The conversation establishing response of step e1, be after service providing end equipment receives client's conversation establishing request, according to the user identifier in the request message, authentification of user algorithm, Token in the request message is carried out validation verification, if checking effectively, then return the conversation establishing success response to the client, otherwise, a conversation establishing failure response returned.
In conjunction with illustrate referring to Fig. 4 the control of service access in the master-slave equipment group with the equipment pipe security attribute conversation procedure when inconsistent.Access security control when certain service, require to need the client place equipment of its request and the equipment pipe of setting up a safety between the equipment of this service is provided, but the equipment pipe that two equipment rooms have been set up does not meet this safety requirements, and (there is a main equipment 3 in both sides' equipment when belonging to same master-slave equipment group in the equipment group, all the other are its slave unit), client and the service end that then will set up session can obtain session encryption key from main equipment 3, are used for the encrypted transmission of interaction message in this session.
Step a, b, c are with operating among Fig. 2 among the figure, and steps d 2 is conversation establishing request and conversation establishing response process with e2.The operation of step f and step h is with step f and h among Fig. 2.In the conversation establishing response message of step e2, when the responsive state sign indicating number for " the device access authority forbids " time, carry out following steps:
Step e21, the cryptographic algorithm (EncryptAlgorithm) that client is selected to be fit to oneself from the cryptographic algorithm tabulation that the service describing of service providing end is supported forms corresponding service safe mechanism descriptor, with device identifier, the device identifier of service providing end, the cryptographic algorithm of client oneself be packaged into one to main equipment 3 application session encryption keys " the session encryption key request information is issued main equipment 3;
Step e22, main equipment 3 receives client " after the session encryption key request information; generate the random bit string of an appropriate length according to the cryptographic algorithm in the request message; as session encryption key; and adopt the shared secret key safety mechanism of setting up in advance between main equipment and the customer equipment; with session encryption key and the voip identifiers that generates; encrypt formation ciphertext Cipher1 with the respective encrypted algorithm, shared key of setting up in advance between usefulness main equipment and the service providing end equipment and cryptographic algorithm are to service identifier simultaneously, voip identifiers, with the cryptographic algorithm EncryptAlgorithm that selects, session encryption key is encrypted, form ciphertext Cipher2, ciphertext Cipher1 and ciphertext Cipher2 issue client in " session encryption key response ";
Step e23, after client receives main equipment " session encryption key response ", therefrom extract ciphertext Cipher1 and Cipher2, and with and main equipment between the shared key set up in advance Cipher1 is decrypted, obtain session encryption key, then ciphertext Cipher2 is issued service providing end equipment by " session encryption key sends notice ";
Step e24, service providing end receives " session encryption key sends notice ", extract Cipher2, with the shared key of setting up in advance between own and main equipment Cipher2 is deciphered, confirm voip identifiers, the cryptographic algorithm EncryptAlgorithm of selection, session encryption key, send " session encryption key sends response " to the client then, client is set to equipment trusty immediately simultaneously;
Step e25, after client receives service providing end " session encryption key sends response ", according to the access control policy demand of service providing end, generate a conversation establishing request once more, and send to service providing end equipment after this request message encrypted with session encryption key;
Step e26, the conversation establishing message that the service providing end equipment interconnection is received is deciphered with session encryption key, according to the user identifier in the request message, authentification of user algorithm, Token in the request message is carried out validation verification, if checking effectively, then return the conversation establishing success response to the client, otherwise, a conversation establishing failure response returned.Conversation establishing success response message is also encrypted with session encryption key.If this session is set up successfully, then interactive messages is all used the session encryption key encrypted transmission in this session, until this session teardown.
Continuation is referring to Fig. 2, step f, service invocation request and step g, service call response.
After service call is meant that client and service end are set up session, should be according to serving the interface of in service description document, describing, by service call mechanism realization the calling of regulation to service.
After session is set up, the equipment of expression client and the checking that user identity has passed through service end, and the concurrent access control that client has also been passed through service end to the visit of service limits, and client can be carried out the service call of " request-response " pattern or " notice " pattern to service.
In the service call of " request-response " pattern, after service end is received the service invocation request of client, should return and call response message, the service call response message returns to the client who calls based on the session identical with conversation establishing.In the service call of " notice " pattern, after the service call notification of client is received in service, do not return and call response message.
Client based on and the destination service end between the session of setting up when destination service is carried out the funcall of " request " pattern, in the message body of request message, comprise concrete call request information.Can define the form of multiple service invocation request message, table 5 illustrates a kind of preferable example.To outbound message and message field explanation, explanation is the selection field of indispensable field or suggestion respectively in the table.
Table 5
Message | The message field explanation |
M-POST/ destination service identifier HTTP/1.1 | Expansion HTTP order line |
Host: destination host IP address: port | Indispensable field |
01-IGRSVersion:IGRS/1.0 | Indispensable field, IGRS version number |
01-IGRSMessageType:InvokeServiceRequest | Indispensable field, content must be so |
01-SourceDeviceId: the device identifier that sends request | Indispensable field, type is uri |
01-TargetDeviceId: target device identifier | Indispensable field, type is uri |
Content-Length: the length byte of message body | Indispensable field |
Content-type:text/xml; charset=utf-8Content-type:text/xml; charset=utf-8;charset=utf-8 | Indispensable field |
MAN:”http://www.igrs.org/spec1.0”;ns=01 | Indispensable field |
MAN:” http://schemas.xmlsoap.org/soap/envelope/ ”;ns=02 | Indispensable field |
02-SoapAction:”IGRS-InvokeService-Request” | Indispensable field |
Message | The message field explanation |
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org /soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xml soap.org/soap/encoding/"〉 | Indispensable field |
<SOAP-ENV:Body 〉 | Indispensable field |
<Session xmlns=" http://www.igrs.org/spec1.0 " request=" NeedResponse " | Indispensable field, request attribute indicate this message call to need response |
<ClientId〉the source voip identifiers</ClientId 〉 | Indispensable field, type is 32 unsignedInt |
<ServiceId〉the destination service identifier</ServiceId 〉 | Indispensable field, type is 32 unsignedInt |
<SequenceId〉the call request sequence number</SequenceId 〉 | Indispensable field, type is 32 unsignedInt |
<!-be concrete call request message--herein | |
</Session 〉 | Indispensable field |
</SOAP-ENV:Body 〉 | Indispensable field |
</SOAP-ENV:Envelope 〉 | Indispensable field |
Annotate: upright letters is represented specified content in the message definition, and italics represents specifically to insert the prompting of content. |
An IGRS service should be returned and call response message after receiving client's the call request that the response demand is arranged.In the message body of response message, comprise and specifically call response message.Service function is called response message and is issued the client of sending call request based on the session identical with conversation establishing, also can define multiple message format, provide a kind of preferable example in the table 6, provide response message field and explanation of field in the table 6, explanation is the selection field of indispensable field or suggestion.
Table 6
Message | The message field explanation |
HTTP/1.1200?OK | The HTTP order line |
Ext: | Indispensable field |
Cache-control:no-cache=”Ext” | Indispensable field |
MAN:”http://www.igrs.org/spec1.0”;ns=01 | Indispensable field |
01-IGRSVersion:IGRS/1.0 | Indispensable field, IGRS version number |
01-IGRSMessageType:InvokeServiceResponse | Indispensable field, content must be so |
01-TargetDeviceId: target device identifier | Indispensable field, type is uri |
01-SourceDeviceId: source device identifier | Indispensable field, type is uri |
01-AcknowledgeId: equipment pipe message response sequence number | Indispensable field, type is 32 unsignedInt |
Content-Length: message body length | Indispensable field |
</entry></row></tbody></tgroup></table></tables>
Step h, the session teardown notice.During session teardown,, send the session teardown notification message to the other side by the either party in IGRS client or the service end, and the session between disconnection and the other side.The type of message of session teardown notification message is Destroy Session Notify, comprises the client of this session and the certificate Token of service end both sides and this session maintenance in the message.The message format of session teardown notice can have multiple, and table 7 provides the preferred embodiments that general session is removed notification message, provides session teardown notification message field and explanation of field in the table 7, and providing in the explanation is the selection field of indispensable field or suggestion.
Table 7
Message | The message field explanation |
M-NOTIFY/IGRS?HTTP/1.1 | Expansion HTTP order line |
Host: host IP address: port | Indispensable field |
</entry></row></tbody></tgroup></table></tables>
Relate to service describing, session management and service invocation procedure in the using method of client of the present invention to the service end resource, whether there is not asset management device in the tube apparatus group, all be to set up session at client place equipment and service place equipment room, client is called service according to service describing, thereby realizes the use to the service end resource.
Claims (14)
1. client is used the method for service end resource on the network, and client device and server device is characterized in that through service discovery process discovery mutually:
A. client is by initiating " obtaining the Service Detail request ", with service end by returning " obtain Service Detail response " process, make client obtain Service Detail, clear and definite requesting party and request object in " obtaining the Service Detail request ", in " obtaining the Service Detail response ", provide the service description document of this request object, the required details of service call are described in service in service description document, comprising Access Control List (ACL) strategy and the employed service safe mechanism of Authentication Client identity and the parameter of this service;
B. client is judged service safe mechanism, when the service safe mechanism of describing is " no service safe ", and direct execution in step D, otherwise execution in step C;
C. client is by initiating " conversation establishing request ", with service end by returning " conversation establishing response " process, between client and service end, create session, service end is according to the facility information of the client of obtaining in the conversation establishing process, corresponding client identity and user authentication information, access rights to the client authenticate, and according to the concurrent tenability of service the client are carried out concurrent access control simultaneously;
D. client adopts the service call mechanism of predesignating that service is called according to serve the interface of describing in service description document.
2. method according to claim 1, it is characterized in that: in the described steps A, make client obtain Service Detail, this Service Detail comprises host-host protocol, service call interface, service calling method and call parameters and the service data type of service position, support.
3. method according to claim 2, it is characterized in that: described service call interface, comprise the User Defined interface, and by the standard interface of information equipment resource-sharing and cooperation with service IGRS standard definition, this standard interface comprises service data query interface, service data change events subscribing interface and service data variation event notification interface.
4. method according to claim 3 is characterized in that: described service data query interface, be used to define method to the service data inquiry, and comprise an inquiry request message and a query response message; Comprise a query expression in the inquiry request message, this query expression comprises service data title to be checked; Service data title to be checked in the object information or the query failure message that comprise successful inquiring in the query response message, the service data title in the Query Result and query requests is corresponding.
5. method according to claim 3, it is characterized in that: described service data change events subscribing interface, be used to define method for subscribing, comprise by subscribe request side and send subscription request message and subscribe to the subscription response message of recipient this subscription request message to the service data variation of destination service; The subscription identifier that comprises the subscribe request expression formula in the subscription request message, distributes for this subscription service, notification target address and subscribe to the concluding time, the subscribe request expression formula comprises the service data title of subscription, triggers the event notice corresponding with this service when this service data changes; In the subscription response message, when subscribing to successfully, provide subscription identifier and subscription concluding time that this service is subscribed to, when subscribing to failure, express the subscription error message by return code.
6. method according to claim 3, it is characterized in that: described service data change events notification interface, be when service data changes, send a notification message by subscribing to receive direction subscribe request side, notification message comprises title, numerical value and the subscription identifier of all service datas of having subscribed to.
7. method according to claim 1 is characterized in that: among the described step B, execution in step C creates session between client and service end when the service safe mechanism of describing is " service safe ", and behind execution of step D, execution in step E;
E. by client or service end to square end is sent the session teardown notification message, disconnect the session between client and service end, the ending resource use.
8. method according to claim 7 is characterized in that: in the described step e, comprise the client of this session and the certificate of service end both sides information and this session maintenance in the session teardown notification message.
9. method according to claim 1, it is characterized in that: among the described step C, the service end of creating in the session authenticates client, is to realize service access control from the equipment room relation of client place equipment and this service end place equipment and two dimensions of user list of this service permission visit.
10. method according to claim 9, the relation that it is characterized in that described equipment room comprises: whether client device and server device are in the same equipment group, whether client place equipment is the credible equipment of service end place equipment, with client place equipment whether be the appointment credible equipment of service end place equipment, satisfy above-mentionedly more than one or one, in described authentication, be judged as the equipment room that satisfies described client place equipment and service end place equipment and concern this dimension requirement.
11. method according to claim 1 is characterized in that: among the described step C, can only have a session at synchronization between client and the service end.
12. method according to claim 1 is characterized in that among the described step C, described establishment conversation procedure comprises:
Client generates the certificate of certain expression particular trusted attribute according to the access control description, authentication mechanism and the authentication encryption algorithm that provide in the service description document, and utilizes described " conversation establishing request " to send to service end;
The service end that receives " conversation establishing request " is according to the user identifier in the request message, authentification of user cryptographic algorithm, this certificate is carried out validation verification, verify and return the conversation establishing success response to client when effective otherwise return the conversation establishing failure response; And require between client device and server device, to set up safety corridor and pipeline that two equipment rooms have been set up when not meeting this safety requirements when the access control of service, return the response message of " the device access authority is forbidden ".
13. method according to claim 12, it is characterized in that: when returning the response message of " the device access authority is forbidden " in service end, if client and service end belong to together in the master-slave equipment group, obtain session encryption key by client from main equipment, and by and service end between " session encryption key send notice " reach " session encryption key sends and responds " process, make service end obtain session encryption key, repeat the establishment conversation procedure of described step C again, client and service end both sides encrypt " conversation establishing request " and " conversation establishing response " message with session encryption key in creating conversation procedure.
14. method according to claim 1, it is characterized in that: the service call among the described step D, employing comprises that client sends request and service end is returned the service calling method of " request-response " pattern of response to client to service end, or does not need service end to return the service calling method of " notice " pattern of response.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100425008A CN100334833C (en) | 2004-05-25 | 2004-05-25 | Method for using server resources by client via a network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100425008A CN100334833C (en) | 2004-05-25 | 2004-05-25 | Method for using server resources by client via a network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1705267A CN1705267A (en) | 2005-12-07 |
CN100334833C true CN100334833C (en) | 2007-08-29 |
Family
ID=35577716
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2004100425008A Expired - Lifetime CN100334833C (en) | 2004-05-25 | 2004-05-25 | Method for using server resources by client via a network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100334833C (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101202977B (en) * | 2006-12-14 | 2012-05-23 | 英华达(上海)电子有限公司 | method and terminal for realizing information sharing in mobile communication |
JP4984907B2 (en) * | 2007-01-19 | 2012-07-25 | ソニー株式会社 | Network system, direct access management server, event notification method, network home appliance, and computer program |
CN101242323B (en) * | 2007-02-06 | 2010-12-08 | 华为技术有限公司 | Establishment method and home network system for pipes between devices |
CN101388060B (en) * | 2007-09-11 | 2013-03-13 | 深圳兆日科技股份有限公司 | System and method for implementing authorisation session authentication between entities |
US8646027B2 (en) * | 2008-06-27 | 2014-02-04 | Microsoft Corporation | Workflow based authorization for content access |
CN102118735B (en) * | 2010-01-05 | 2015-04-01 | 中兴通讯股份有限公司 | Method for realizing data subscription notification based on lightweight directory access protocol |
CN102891865B (en) * | 2011-07-18 | 2016-07-06 | 阿里巴巴集团控股有限公司 | A kind of information getting method and equipment |
CN104243538A (en) * | 2013-06-24 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Resource sharing method and system |
CN105338007B (en) * | 2014-05-30 | 2018-12-14 | 北京猎豹网络科技有限公司 | The acquisition methods of service documents, providing method, archive server and central server in server cluster |
US20160286398A1 (en) * | 2015-03-23 | 2016-09-29 | Qualcomm Incorporated | Schedule selection and connection setup between devices participating in a nan data link |
CN108512889B (en) * | 2018-01-12 | 2021-07-02 | 深圳壹账通智能科技有限公司 | Application response pushing method based on HTTP and proxy server |
CN109213682A (en) * | 2018-09-06 | 2019-01-15 | 郑州云海信息技术有限公司 | A kind of method of test client, client, server-side and readable storage medium storing program for executing |
CN113778716A (en) * | 2021-09-14 | 2021-12-10 | 联想(北京)有限公司 | Service switching method, electronic equipment and service switching system |
CN114040225B (en) * | 2021-11-17 | 2023-08-11 | 聚好看科技股份有限公司 | Server, display equipment and media asset mapping method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202089B1 (en) * | 1998-06-30 | 2001-03-13 | Microsoft Corporation | Method for configuring at runtime, identifying and using a plurality of remote procedure call endpoints on a single server process |
CN1481112A (en) * | 2002-09-12 | 2004-03-10 | 联想(北京)有限公司 | Service renting and authorizing method for realizing resource sharing in household network |
CN1489044A (en) * | 2003-08-21 | 2004-04-14 | 上海交通大学 | Interacting web service dispatching method based on multi-agency |
-
2004
- 2004-05-25 CN CNB2004100425008A patent/CN100334833C/en not_active Expired - Lifetime
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202089B1 (en) * | 1998-06-30 | 2001-03-13 | Microsoft Corporation | Method for configuring at runtime, identifying and using a plurality of remote procedure call endpoints on a single server process |
CN1481112A (en) * | 2002-09-12 | 2004-03-10 | 联想(北京)有限公司 | Service renting and authorizing method for realizing resource sharing in household network |
CN1489044A (en) * | 2003-08-21 | 2004-04-14 | 上海交通大学 | Interacting web service dispatching method based on multi-agency |
Non-Patent Citations (1)
Title |
---|
基于Web Service异构教育资源库数据共享方案的研究与实现 庄秀丽,孙波,电化教育研究,第2期 2003 * |
Also Published As
Publication number | Publication date |
---|---|
CN1705267A (en) | 2005-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10637661B2 (en) | System for user-friendly access control setup using a protected setup | |
Fan et al. | Diam-iot: A decentralized identity and access management framework for internet of things | |
JP5215289B2 (en) | Method, apparatus and system for distributed delegation and verification | |
CN100563248C (en) | The method and system that when the user is connected to IP network, in the local management zone, is used for the leading subscriber insertion authority | |
CN100334833C (en) | Method for using server resources by client via a network | |
US20090158394A1 (en) | Super peer based peer-to-peer network system and peer authentication method thereof | |
JP2009086802A (en) | Mediation method and system for authentication | |
CN104054321A (en) | Security management for cloud services | |
CN109474916A (en) | A kind of device authentication method, apparatus and machine readable media | |
US11695751B2 (en) | Peer-to-peer notification system | |
CN113785549B (en) | Improving transmission of in-vehicle data or messages using SOME/IP communication protocol | |
CN102893579B (en) | For provide method, node and the equipment of bill in communication system | |
JP2005167412A (en) | Communication system, communication terminal and server apparatus used in communication system, and connection authentication method used for communication system | |
CN113872940A (en) | Access control method, device and equipment based on NC-Link | |
US20160269382A1 (en) | Secure Distribution of Non-Privileged Authentication Credentials | |
KR20080097180A (en) | Method for transferring resource and method for providing information | |
CN112335215B (en) | Method for coupling terminal devices into a network-enabled computer infrastructure | |
JP4847483B2 (en) | Personal attribute information providing system and personal attribute information providing method | |
JP3914193B2 (en) | Method for performing encrypted communication with authentication, authentication system and method | |
Park et al. | Open location-based service using secure middleware infrastructure in web services | |
JP2007074745A (en) | Method for performing encrypted communication by obtaining authentication, authentication system and method | |
JP4794939B2 (en) | Ticket type member authentication apparatus and method | |
KR20080026022A (en) | Method for providing information, method for authenticating client and drm interoperable system | |
JP3678009B2 (en) | Communication method | |
JP2007043750A (en) | Method for performing encryption communication after autentication, system and method for authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CX01 | Expiry of patent term |
Granted publication date: 20070829 |
|
CX01 | Expiry of patent term |