企业应用安全框架的研究与实现
摘要
随着现代企业的发展和信息化,企业的各种信息系统日益庞大和复杂,系统安全形势也日益严峻。企业应用系统的每个环节都有可能遭到安全威胁,应用系统需要保护众多的资源,然而目前的各种企业应用系统正变得越来越复杂,对认证和授权以及资源的访问控制管理也越来越困难,为企业提供一套易使用的、易扩展和易管理的企业应用安全框架是十分重要的。
本论文以RBAC访问控制模型,Acegi安全框架和东软软件股份有限公司开发的通用企业应用平台(Universal Enterprise Application Platform, UniEAP)系统架构为基础,对基于J2EE的企业应用系统的安全进行了深入研究,从多个角度、多个层次论述了如何有效的解决应用系统的总体安全问题,并给出了一套具有通用性的安全架构设计方案。本文将安全框架设计为三部分,分别是:多维度组织机构、认证系统和授权系统,分别从这三个方面给出了具体的设计与实现。由于企业对安全框架的要求各不相同,这里只提供了一个基础的安全框架,只解决了具有共性的安全问题的部分,同时安全框架具有高度的可扩展性。本文提出的设计方案大大降低了通用企业应用平台安全管理的复杂度,增强了系统的安全性。该设计方案对于解决其它企业应用平台和企业应用的安全问题也具有一定的借鉴意义。
With the development of modern enterprises and information technology, the information of enterprise systems are becoming increasingly large-scale and complex; therefore, system security situation has become more serious.Every aspect of enterprises application system could suffer security threats.enterprises application system need to protect their resources.at present,the enterprise application systems are becoming increasingly complex, access control management of resources,authentication and authorization is becoming increasingly diffcult.So,it is important to develop an easy to use,easy to expand,easy to manage Security Framework for enterprise application.
This thesis is based on RBAC Model,Acegi Security Framework and the structure of the existing UniEAP system which is a universal enterprise application platform developed by Neusoft Group Ltd. This thesis begins with the security of J2EE enterprise application platform and discusses how to deal with overall information security problems through several views and several layers, and gives us an overall scheme based on security technology and method.the security framework is divided into three parts:Multi-dimension organization structure, Authentication system and Authorization system.the thesis gives us a concrete design and implement from the aspects. Because every enterprise has different requirements, the security framework is a basic framework which just resolve to commonly security problems.at the same time, the security framework is a highly extensible framework. The design solution,which is put forward by the thesis,can reduce the complexity of authority management and strengthen the systematic security. The design and implementation will be also useful to other enterprise application platforms and other enterprise applications.
本论文以RBAC访问控制模型,Acegi安全框架和东软软件股份有限公司开发的通用企业应用平台(Universal Enterprise Application Platform, UniEAP)系统架构为基础,对基于J2EE的企业应用系统的安全进行了深入研究,从多个角度、多个层次论述了如何有效的解决应用系统的总体安全问题,并给出了一套具有通用性的安全架构设计方案。本文将安全框架设计为三部分,分别是:多维度组织机构、认证系统和授权系统,分别从这三个方面给出了具体的设计与实现。由于企业对安全框架的要求各不相同,这里只提供了一个基础的安全框架,只解决了具有共性的安全问题的部分,同时安全框架具有高度的可扩展性。本文提出的设计方案大大降低了通用企业应用平台安全管理的复杂度,增强了系统的安全性。该设计方案对于解决其它企业应用平台和企业应用的安全问题也具有一定的借鉴意义。
With the development of modern enterprises and information technology, the information of enterprise systems are becoming increasingly large-scale and complex; therefore, system security situation has become more serious.Every aspect of enterprises application system could suffer security threats.enterprises application system need to protect their resources.at present,the enterprise application systems are becoming increasingly complex, access control management of resources,authentication and authorization is becoming increasingly diffcult.So,it is important to develop an easy to use,easy to expand,easy to manage Security Framework for enterprise application.
This thesis is based on RBAC Model,Acegi Security Framework and the structure of the existing UniEAP system which is a universal enterprise application platform developed by Neusoft Group Ltd. This thesis begins with the security of J2EE enterprise application platform and discusses how to deal with overall information security problems through several views and several layers, and gives us an overall scheme based on security technology and method.the security framework is divided into three parts:Multi-dimension organization structure, Authentication system and Authorization system.the thesis gives us a concrete design and implement from the aspects. Because every enterprise has different requirements, the security framework is a basic framework which just resolve to commonly security problems.at the same time, the security framework is a highly extensible framework. The design solution,which is put forward by the thesis,can reduce the complexity of authority management and strengthen the systematic security. The design and implementation will be also useful to other enterprise application platforms and other enterprise applications.
引文
1.牛少彰等.信息安全概论(第二版)[M],北京:北京邮电大学出版社,2007,1-17.
2. Charles P.Pfleeger.信息安全原理与应用(第四版)[M],北京:电子工业出版社,2004,5-25.
3.IT系统安全白皮书[M],IBM中国技术支持中心,2006,21-27.
4. Deepak Alur. Core J2EE Patterns[M],北京:电子工业出版社,2003,9-18.
5.胡海燕等.J2EE的安全机制及其应用研究[J],计算机应用,2003,23(2):153-154.
6. Marco Pistoia. Enterprise Java Security:Building Secure J2EE Applications[M],北京:清华大学出版社,2004,72-79.
7.孙梅等.JSP应用的安全性研究[J],华北科技学院学报,2004,1(1):66-69.
8.郑丹等.基于Acegi的Web应用系统的认证和授权的实现[J],科技资讯,2006,26:104.
9.许军林等.Acegi安全框架在Web系统中的应用[J],现代计算机(专业版),2007,26(7):25-26.
10.罗时飞.敏捷Acegi、CAS——构建安全的Java系统[M],北京:电子工业出版社,2007,83-211.
11. QIU Jiong. Research and Implementation of Role-Based RBAC Administration Model[J], IEEE,2005,0-7695-2432-X:746-750.
12. Young-Gab Kim and Jongin Lim. Dynamic Activation of Role on RBAC for Ubiquitous Applications[J], IEEE,2007,0-7695-3038-9/07:1148-1153.
13. Miao Liu Heqing Guo Jindian Su. An Attribute and Role Based Access Control Model for Web Serviecs[J], IEEE,2005,0-7803-9091-1/05:1302-1306.
14. David W Chadwick Wensheng Xu. Multi-session Separation of Duties(MSoD)for RBAC[J], IEEE,2007,1-4244-0832-6/07:744-753.
15. Russ Miles. AspectJ Cookbook[M],北京:清华大学出版社,2006,7-35.
16. Craig Walls and Ryan Breidenbacg. Spring in Action[M],北京:人民邮电出版社,2006,79-113.
17. Janie Jaworsk. Java安全手册[M],北京:电子工业出版社,2001,190-222.
18. Art Taylor and Randy Layman. J2EE&Java黑客大曝光[M],北京:清华大学出版社,2003,311-341.
19.谷莹吉等.RBAC模型在权限控制中的研究与实现[J],佳木斯大学学报,2008,26(1):14-16.
20.孙卫琴.精通Struts:基于MVC的Java Web设计与开发[M],北京:电子工业出版社,2006,192-227.
21.罗时飞.精通Spring[M],北京:电子工业出版社,2005,29-48.
22.姜伟等.基于JAAS和J2EE Web容器的验证与授权[J],电子科技大学学报,2007,36(5):969-972.
23.谢小乐.J2EE经典实例详解[M],北京:人民邮电出版社,2003,282-293.
24.阎宏.Java与模式[M],北京:电子工业出版社,2002,139-247.
25.李刚.J2EE企业应用实战—Struts+Spring+Hibernate整合开发[M],北京:电子工业出版社,2007,339-388.
26.夏听.深入浅出Hibernate[M],北京:电子工业出版社,2005,201-311.
27. Grady Booch.面向对象分析与设计(原书第2版)[M],北京:机械工业出版社,2003,102-130.
28. Erich Gamma.设计模式——可复用面向对象软件的基础[M],北京:机械工业出版社,2005,91-145.
29. Craig Larman. UML和设计模式[M],北京:机械工业出版社,2002,191-203.
30. Martin Fowler.重构改善及有代码的设计[M],北京:中国电力出版社,2003,75-89.
31. Ron Patton.软件测试[M],北京:机械工业出版社,2006,85-129.
32. Eric Freeman等.Head First设计模式[M],北京:中国电力出版社,2004,109-186.
33.路鹏等.基于Spring的Acegi安全框架认证与授权的分析及扩展[J],计算机工程与设计,2007,28(6):1313-1316.
2. Charles P.Pfleeger.信息安全原理与应用(第四版)[M],北京:电子工业出版社,2004,5-25.
3.IT系统安全白皮书[M],IBM中国技术支持中心,2006,21-27.
4. Deepak Alur. Core J2EE Patterns[M],北京:电子工业出版社,2003,9-18.
5.胡海燕等.J2EE的安全机制及其应用研究[J],计算机应用,2003,23(2):153-154.
6. Marco Pistoia. Enterprise Java Security:Building Secure J2EE Applications[M],北京:清华大学出版社,2004,72-79.
7.孙梅等.JSP应用的安全性研究[J],华北科技学院学报,2004,1(1):66-69.
8.郑丹等.基于Acegi的Web应用系统的认证和授权的实现[J],科技资讯,2006,26:104.
9.许军林等.Acegi安全框架在Web系统中的应用[J],现代计算机(专业版),2007,26(7):25-26.
10.罗时飞.敏捷Acegi、CAS——构建安全的Java系统[M],北京:电子工业出版社,2007,83-211.
11. QIU Jiong. Research and Implementation of Role-Based RBAC Administration Model[J], IEEE,2005,0-7695-2432-X:746-750.
12. Young-Gab Kim and Jongin Lim. Dynamic Activation of Role on RBAC for Ubiquitous Applications[J], IEEE,2007,0-7695-3038-9/07:1148-1153.
13. Miao Liu Heqing Guo Jindian Su. An Attribute and Role Based Access Control Model for Web Serviecs[J], IEEE,2005,0-7803-9091-1/05:1302-1306.
14. David W Chadwick Wensheng Xu. Multi-session Separation of Duties(MSoD)for RBAC[J], IEEE,2007,1-4244-0832-6/07:744-753.
15. Russ Miles. AspectJ Cookbook[M],北京:清华大学出版社,2006,7-35.
16. Craig Walls and Ryan Breidenbacg. Spring in Action[M],北京:人民邮电出版社,2006,79-113.
17. Janie Jaworsk. Java安全手册[M],北京:电子工业出版社,2001,190-222.
18. Art Taylor and Randy Layman. J2EE&Java黑客大曝光[M],北京:清华大学出版社,2003,311-341.
19.谷莹吉等.RBAC模型在权限控制中的研究与实现[J],佳木斯大学学报,2008,26(1):14-16.
20.孙卫琴.精通Struts:基于MVC的Java Web设计与开发[M],北京:电子工业出版社,2006,192-227.
21.罗时飞.精通Spring[M],北京:电子工业出版社,2005,29-48.
22.姜伟等.基于JAAS和J2EE Web容器的验证与授权[J],电子科技大学学报,2007,36(5):969-972.
23.谢小乐.J2EE经典实例详解[M],北京:人民邮电出版社,2003,282-293.
24.阎宏.Java与模式[M],北京:电子工业出版社,2002,139-247.
25.李刚.J2EE企业应用实战—Struts+Spring+Hibernate整合开发[M],北京:电子工业出版社,2007,339-388.
26.夏听.深入浅出Hibernate[M],北京:电子工业出版社,2005,201-311.
27. Grady Booch.面向对象分析与设计(原书第2版)[M],北京:机械工业出版社,2003,102-130.
28. Erich Gamma.设计模式——可复用面向对象软件的基础[M],北京:机械工业出版社,2005,91-145.
29. Craig Larman. UML和设计模式[M],北京:机械工业出版社,2002,191-203.
30. Martin Fowler.重构改善及有代码的设计[M],北京:中国电力出版社,2003,75-89.
31. Ron Patton.软件测试[M],北京:机械工业出版社,2006,85-129.
32. Eric Freeman等.Head First设计模式[M],北京:中国电力出版社,2004,109-186.
33.路鹏等.基于Spring的Acegi安全框架认证与授权的分析及扩展[J],计算机工程与设计,2007,28(6):1313-1316.