扩展RBAC模型在WEB应用中的研究与实现
|
摘要
随着Internet的普及应用,人们对网络安全的需求日益增加,访问控制是防止非授权访问的一种重要的网络安全手段。访问控制在身份认证的基础上,依据授权对提出的资源访问请求加以控制。通过访问控制,既可以限制对关键资源的访问,也能够防止非法用户的入侵或合法用户的不慎操作所造成的破坏。
本文在比较分析访问控制三种主流技术——自主访问控制、强制访问控制、基于角色的访问控制的基础上,着重研究了基于角色访问控制的几种主要模型。据此提出本文的重点——引入了分组、时间的概念,扩充基于角色访问控制模型,称之为扩展RBAC模型,引入分组的目的是为了授权的清晰和简化,引入时间的目的是使系统更加安全有效。然后对该模型的具体实现和关键内容做出了阐述,详细给出了关键类的说明和数据结构描述,以及该模型基于WEB模式的身份验证和加密方式。最后以教学平台系统为例,具体阐述了基于角色的安全访问控制方案的实现,论证了设计方案在教学平台系统中的可行性。
With the development of Internet application, the demands for security of network keep increasing. Access control is one of the important techniques to avoid unauthorized accesses. Access control can limit the user to access the resource with his/her owns permission. It bases on Authentication. With access control service, illegal approach is critical resource and damage caused by illegal user's intrusions restricted from or legal inappropriate operations is reduced.
First, the thesis compares and analyzes the advantages and disadvantages of the three main technologies of access control which are DAC, MAC and RBAC. Secondly, the thesis specializes in the several main models of role-based access control. Thirdly, the thesis puts forward a textual point—introduces the concepts of group and time to expand the RBAC model which we called an Expand Model of RBAC. To make the authorization clear and concise, we introduce the concept of group, while to make the system more safely and effectively, we introduce the concept of time. In the thesis, we elaborate on realization and key contents of the model; give in detail description of database and key class. Identification; and encrypt also are given for this Expanded Model of RBAC in the thesis. Finally, to explain how to realize this system based on RBAC, we implement the given model in SiYuan Teaching Platform System. The result shows that the given model is feasible.
本文在比较分析访问控制三种主流技术——自主访问控制、强制访问控制、基于角色的访问控制的基础上,着重研究了基于角色访问控制的几种主要模型。据此提出本文的重点——引入了分组、时间的概念,扩充基于角色访问控制模型,称之为扩展RBAC模型,引入分组的目的是为了授权的清晰和简化,引入时间的目的是使系统更加安全有效。然后对该模型的具体实现和关键内容做出了阐述,详细给出了关键类的说明和数据结构描述,以及该模型基于WEB模式的身份验证和加密方式。最后以教学平台系统为例,具体阐述了基于角色的安全访问控制方案的实现,论证了设计方案在教学平台系统中的可行性。
With the development of Internet application, the demands for security of network keep increasing. Access control is one of the important techniques to avoid unauthorized accesses. Access control can limit the user to access the resource with his/her owns permission. It bases on Authentication. With access control service, illegal approach is critical resource and damage caused by illegal user's intrusions restricted from or legal inappropriate operations is reduced.
First, the thesis compares and analyzes the advantages and disadvantages of the three main technologies of access control which are DAC, MAC and RBAC. Secondly, the thesis specializes in the several main models of role-based access control. Thirdly, the thesis puts forward a textual point—introduces the concepts of group and time to expand the RBAC model which we called an Expand Model of RBAC. To make the authorization clear and concise, we introduce the concept of group, while to make the system more safely and effectively, we introduce the concept of time. In the thesis, we elaborate on realization and key contents of the model; give in detail description of database and key class. Identification; and encrypt also are given for this Expanded Model of RBAC in the thesis. Finally, to explain how to realize this system based on RBAC, we implement the given model in SiYuan Teaching Platform System. The result shows that the given model is feasible.
引文
[1]C.J.McCollum,J.R.Messing,L.Notargiacomo.Beyond the pale of MAC and DAC-defining new forms of access control[A].In:Proceedings of the 1990 IEEE Symposium on Security and Privacy[C].Los Alamitos,CA,USA:IEEE Computer Society Press,1990:190-200
[2]刘荫铭,李金海,刘国丽.计算机安全技术[M].北京:清华大学出版社,2000:1-20
[3]曹天杰,张永平,苏成.计算机系统安全[M].北京:高等教育出版社,2003:59-99
[4]吴迪.分布式环境下基于角色的互操作的访问控制技术研究[D][博士论文].浙江:浙江大学,2006:3-8,11-44
[5]R.sandhu,P.Samarati.Authentication,access control,and intrusion detection[A].In:Allen B.Tucker.The Computer Science and Engineering Handbook[M].Boca Raton,FL,USA:CRC Press,1997:1929-1948
[6]D.Ferraiolo,R.Kuhn.Role-based access controls[A].In:Proceedings of the 15~(th)NIST-NSA National Computer Security Conference[C].1992:554-563
[7](美)斯克内尔(B.Schneier)著.吴世忠等译.应用密码学(协议算法与C源程序)[M].北京:机械工业出版社,2003:332-450
[8]张方舟.分布环境下资源访问控制关键问题研究[D][博士论文].北京:中国科学院计算机网络信息中心,2006:31-51
[9]云辽飞.基于角色的访问控制技术在统一设备管理中心系统中的应用[D][硕士论文].西安:西安电子科技大学,2007:5-14
[10]R.Sandhu,E.Coyne,H.Feinstein,C.Youman.Role-Based Access Control Models[J].IEEE Computer,1996,29(2):38-47
[11]R.Sandhu.Rationale for the RBAC96 family of access control models[A].In:Proceedings of the 1st ACM Workshop on Role-Based Access Control[C].NY,USA:ACM Press,1997:Article N.9
[12]ANSI INCITS 359-2004.American National Standard for Information Technology-Role Based Access Control[S].NY,USA:American National Standards Institute,Inc,2004
[13]D.Ferraiolo,R.Sandhu,S.Gavrila,D.R.Kuhn,R.Chandramouli.Proposed NIST Standard for Role-Based Access Control[J].ACM Transactions on Information and System Security,2001,4(3):224-274
[14]R.Sandhu,V.Bhamidipati,Q.Munawer.The ARBAC97 Model for Role-Based Administration of Roles[J].ACM Transactions on Information and System Security,1999,2(1):105-135
[15]李敏.UARBAC模型及其应用研究[D][硕士论文].成都:电子科技大学,2005:4-21
[16]叶春晓.基于角色访问控制(RBAC)中属性约束委托模型研究[D][博士论文].重庆:重庆大学,2005:11-15,47-98
[17](美)斯克内尔(B.Schneier)著.吴世忠等译.网络信息安全的真相.北京:机械工业出版社,2001:72-89
[18](美)斯蒂尔(C.Steel)等著.陈秋萍等译.安全模式[M].北京:机械工业出版社,2006:25-48,51-165
[19]郭贞伶.因特网单一签入系统结合RBAC授权机制之研究[D][硕士论文].台湾:世新大 学,2006:17-44
[20]林孟勋.结合RBAC授权之网站单一签入机制研究[D][硕士论文].台湾:世新大学,2006:3-13
[21]李晓峰,冯登国,徐震.一种通用访问控制管理模型[J].计算机研究与发展,2007,44(6):947-957
[22]夏鲁宁,荆继武.一种基于层次命名空间的RBAC管理模型[J].计算机研究与发展,2007.44(12):2020-2027
[23]Nyanchama M,Osborn S.Information Flow Analysis in Role-Based Systems[J].Journal of Computing and Information,1994,1(1):1368-1384
[24]R.Sandhu.Role Hierarchies and Constraints for Lattice-Based Access Control[A].In Computer Security-ESORICS 96[C].NY,USA:Springer-Verlag,1996:65-79
[25]S.Osborn.Mandatory Access Control and Role-Based Access Control Revisited[A].In Proceedings of the Second ACM Workshop on Role-Based Access Control(RBAC 97,Fairfax,VA)[C].NY,USA:ACM Press,1997:31-40
[26]R.Sandhu,Q.Munawer.How To Do Discretionary Access Control Using Roles[A].In Proc.of the 3rd ACM Workshop on Role-Based Access Control(RBAC-98,Fairfax,VA)[C].NY,USA:ACM Press,1998:47-54
[27]O.Sejong,R.Sandhu.A Model for Role Administration using Organization Structure[A].In Proc.the 7th ACM Symposium on Access Control Models and Technologies[C].NY,USA:ACM Press,2002:155-162
[28]谭立球,黄烟波,费耀平.RBAC模型在校园信息门户访问控制中的应用[J].通信学报,2005,26(B01):178-181
[29]黄建,卿斯汉,温红子.带时间特性的角色访问控制[J].软件学报,2003,14(11):1944-1954
[30]E.Bertino,P.Bonatti,E.Ferrar.TRBAC:A Temporal Role-based Access Control Model[J].ACM Transactions on Information and System Security,2001,4(3):191-223.
[31]刘婷婷,汪惠芬,张友良.支持授权的基于角色的访问控制模型及实现[J].计算机辅助设计与图形学学报,2004,16(4):414-419
[32]Longhua zhang,Gail-Joon Ahn,Bei-Tseng Chu.A rule-based framework for role-based delegation and revoeation[J].ACM Transactions on information and System Security(TISSEC),2003,6(3):404-441
[33]Gail-Joon Ahn,J.Park,R.Sandhu.Role-Based Access Control on the Web[J].ACM Transcations on Information and System Security,2001,4(1):37-71
[34]罗时飞编著.敏捷Acegi、CAS:构建安全的Java系统[M].北京:电子工业出版社,2007:69-199,323-349
[35]任传伦.分布环境下身份认证和授权管理的研究[D][博士论文].北京:北京邮电大学,2007:57-71
[36]NINGHUI LI,Security Analysis in Role-Based Access Control[J].ACM Transactions on Information and System Security,2006,9(4):391-420
[2]刘荫铭,李金海,刘国丽.计算机安全技术[M].北京:清华大学出版社,2000:1-20
[3]曹天杰,张永平,苏成.计算机系统安全[M].北京:高等教育出版社,2003:59-99
[4]吴迪.分布式环境下基于角色的互操作的访问控制技术研究[D][博士论文].浙江:浙江大学,2006:3-8,11-44
[5]R.sandhu,P.Samarati.Authentication,access control,and intrusion detection[A].In:Allen B.Tucker.The Computer Science and Engineering Handbook[M].Boca Raton,FL,USA:CRC Press,1997:1929-1948
[6]D.Ferraiolo,R.Kuhn.Role-based access controls[A].In:Proceedings of the 15~(th)NIST-NSA National Computer Security Conference[C].1992:554-563
[7](美)斯克内尔(B.Schneier)著.吴世忠等译.应用密码学(协议算法与C源程序)[M].北京:机械工业出版社,2003:332-450
[8]张方舟.分布环境下资源访问控制关键问题研究[D][博士论文].北京:中国科学院计算机网络信息中心,2006:31-51
[9]云辽飞.基于角色的访问控制技术在统一设备管理中心系统中的应用[D][硕士论文].西安:西安电子科技大学,2007:5-14
[10]R.Sandhu,E.Coyne,H.Feinstein,C.Youman.Role-Based Access Control Models[J].IEEE Computer,1996,29(2):38-47
[11]R.Sandhu.Rationale for the RBAC96 family of access control models[A].In:Proceedings of the 1st ACM Workshop on Role-Based Access Control[C].NY,USA:ACM Press,1997:Article N.9
[12]ANSI INCITS 359-2004.American National Standard for Information Technology-Role Based Access Control[S].NY,USA:American National Standards Institute,Inc,2004
[13]D.Ferraiolo,R.Sandhu,S.Gavrila,D.R.Kuhn,R.Chandramouli.Proposed NIST Standard for Role-Based Access Control[J].ACM Transactions on Information and System Security,2001,4(3):224-274
[14]R.Sandhu,V.Bhamidipati,Q.Munawer.The ARBAC97 Model for Role-Based Administration of Roles[J].ACM Transactions on Information and System Security,1999,2(1):105-135
[15]李敏.UARBAC模型及其应用研究[D][硕士论文].成都:电子科技大学,2005:4-21
[16]叶春晓.基于角色访问控制(RBAC)中属性约束委托模型研究[D][博士论文].重庆:重庆大学,2005:11-15,47-98
[17](美)斯克内尔(B.Schneier)著.吴世忠等译.网络信息安全的真相.北京:机械工业出版社,2001:72-89
[18](美)斯蒂尔(C.Steel)等著.陈秋萍等译.安全模式[M].北京:机械工业出版社,2006:25-48,51-165
[19]郭贞伶.因特网单一签入系统结合RBAC授权机制之研究[D][硕士论文].台湾:世新大 学,2006:17-44
[20]林孟勋.结合RBAC授权之网站单一签入机制研究[D][硕士论文].台湾:世新大学,2006:3-13
[21]李晓峰,冯登国,徐震.一种通用访问控制管理模型[J].计算机研究与发展,2007,44(6):947-957
[22]夏鲁宁,荆继武.一种基于层次命名空间的RBAC管理模型[J].计算机研究与发展,2007.44(12):2020-2027
[23]Nyanchama M,Osborn S.Information Flow Analysis in Role-Based Systems[J].Journal of Computing and Information,1994,1(1):1368-1384
[24]R.Sandhu.Role Hierarchies and Constraints for Lattice-Based Access Control[A].In Computer Security-ESORICS 96[C].NY,USA:Springer-Verlag,1996:65-79
[25]S.Osborn.Mandatory Access Control and Role-Based Access Control Revisited[A].In Proceedings of the Second ACM Workshop on Role-Based Access Control(RBAC 97,Fairfax,VA)[C].NY,USA:ACM Press,1997:31-40
[26]R.Sandhu,Q.Munawer.How To Do Discretionary Access Control Using Roles[A].In Proc.of the 3rd ACM Workshop on Role-Based Access Control(RBAC-98,Fairfax,VA)[C].NY,USA:ACM Press,1998:47-54
[27]O.Sejong,R.Sandhu.A Model for Role Administration using Organization Structure[A].In Proc.the 7th ACM Symposium on Access Control Models and Technologies[C].NY,USA:ACM Press,2002:155-162
[28]谭立球,黄烟波,费耀平.RBAC模型在校园信息门户访问控制中的应用[J].通信学报,2005,26(B01):178-181
[29]黄建,卿斯汉,温红子.带时间特性的角色访问控制[J].软件学报,2003,14(11):1944-1954
[30]E.Bertino,P.Bonatti,E.Ferrar.TRBAC:A Temporal Role-based Access Control Model[J].ACM Transactions on Information and System Security,2001,4(3):191-223.
[31]刘婷婷,汪惠芬,张友良.支持授权的基于角色的访问控制模型及实现[J].计算机辅助设计与图形学学报,2004,16(4):414-419
[32]Longhua zhang,Gail-Joon Ahn,Bei-Tseng Chu.A rule-based framework for role-based delegation and revoeation[J].ACM Transactions on information and System Security(TISSEC),2003,6(3):404-441
[33]Gail-Joon Ahn,J.Park,R.Sandhu.Role-Based Access Control on the Web[J].ACM Transcations on Information and System Security,2001,4(1):37-71
[34]罗时飞编著.敏捷Acegi、CAS:构建安全的Java系统[M].北京:电子工业出版社,2007:69-199,323-349
[35]任传伦.分布环境下身份认证和授权管理的研究[D][博士论文].北京:北京邮电大学,2007:57-71
[36]NINGHUI LI,Security Analysis in Role-Based Access Control[J].ACM Transactions on Information and System Security,2006,9(4):391-420