J2EE架构下基于角色访问控制的研究及应用
摘要
Sun公司顺应网络技术和Internet的迅速发展需求,提出的J2EE规范已成为企业级开发的工业标准。在Java语言走进企业级应用领域的同时,系统安全问题也受到了越来越多的关注。访问控制作为系统安全体系结构中的一个重要组成部分,是解决安全问题的关键之一。其中,基于角色的访问控制RBAC(Role-Based Access Control)为管理大量的资源访问权限提供了一种动态灵活的策略而在企业级开发中得到普遍应用。J2EE作为目前流行的企业级开发平台,虽然其访问控制机制主要也是基于角色的,但由于其机制本身所存在的缺陷,并不能良好地体现出RBAC的应用优势。
对此,本文首先对RBAC模型及J2EE访问控制机制进行了深入的分析:RBAC模型借助于角色实体,实现了用户与访问权限的逻辑分离,大大减少了授权管理的复杂性,易于实现动态复杂的访问控制策略;J2EE标准中的访问控制机制作为一个基于角色的安全机制,通过认证和授权,保障应用的访问安全,其中,JAAS(Java Authentication and Authorization Service)作为可扩展的认证授权框架,是J2EE当前版本中访问控制的重要技术。
然后,本文进一步分析比较了J2EE访问控制机制同标准RBAC模型访问控制策略间的差异,并结合企业级应用的特征,指出了J2EE访问控制机制中所存在的问题:对角色间继承约束关系以及角色权限动态管理的不支持等。
在此基础之上,本文提出了符合J2EE安全标准的角色访问控制系统原型,并利用JAAS等技术在J2EE环境下实现了该系统。系统的实现独立于具体应用,在J2EE访问控制机制基础之上,通过实现标准RBAC模型,弥补了J2EE访问控制机制中的一些不足。该系统易于实现复杂安全策略,具有良好的扩展性、可移植性和通用性。本文还通过系统的成功应用,验证了其在企业级应用访问控制方面的有效性和实用性。论文工作对J2EE架构下访问控制技术的应用研究提供了有益的参考。
To comply with the rapid development of network technology and the Internet, Sun Corporation brings forward the J2EE norm, which has been an industrial standard for enterprise development now. As the Java programming language has been an important part of the development of enterprise application, the security of system has been paid more and more attention to. Access control, an indispensable part of security structure, is one of the keys to solve security problems, and Role-based Access Control (RBAC) becomes the most popular access control model for its agility and facility in authorization management. Nowadays, J2EE is widely used as a platform for enterprise development. Its access control mechanism is mainly based on RBAC, but due to the defects in this mechanism itself, the access control of J2EE platform can not show the advantages of RBAC perfectly.
To solve this problem, firstly this thesis took an in-depth research on RBAC model and access control mechanism of J2EE. In RBAC model, users and access permissions are logically separated with roles. In this way, the complexity of authorization management is greatly decreased, and dynamic and complex access control strategy can be easily realized. As a Role-based security mechanism, the access control mechanism of J2EE protects the security of applications with authentication and authorization. JAAS, a scalable framework for authentication and authorization, is a very important technology to implement the access control of J2EE.
And then, this thesis did a further analysis on the difference between the access control mechanism of J2EE and RBAC model and also pointed out the disadvantages of J2EE's access control mechanism considering the unique requirement on enterprise application.It does not support the hierarchical and constrained relations between roles, and neither supports the dynamic management in role and permission etc, while the RBAC does.
On the basis of the research, the subject brought out a RBAC access control system prototype according to J2EE security standard. This subject also carried out a system under J2EE with technologies such as JAAS. The implementation of the system is separate from any specific application. On the basis of J2EE access control, the system covers some of the shortages of the J2EE access control mechanism with implementing the standard RBAC model. It's easy for the system to realize complex security strategy with a good scalability, portability and versatility. At the end of this thesis, the successful application of prototype system validated its effectiveness and practicability in access control of enterprise application. This thesis will bring useful reference to the application research of the access control technology with J2EE framework.
对此,本文首先对RBAC模型及J2EE访问控制机制进行了深入的分析:RBAC模型借助于角色实体,实现了用户与访问权限的逻辑分离,大大减少了授权管理的复杂性,易于实现动态复杂的访问控制策略;J2EE标准中的访问控制机制作为一个基于角色的安全机制,通过认证和授权,保障应用的访问安全,其中,JAAS(Java Authentication and Authorization Service)作为可扩展的认证授权框架,是J2EE当前版本中访问控制的重要技术。
然后,本文进一步分析比较了J2EE访问控制机制同标准RBAC模型访问控制策略间的差异,并结合企业级应用的特征,指出了J2EE访问控制机制中所存在的问题:对角色间继承约束关系以及角色权限动态管理的不支持等。
在此基础之上,本文提出了符合J2EE安全标准的角色访问控制系统原型,并利用JAAS等技术在J2EE环境下实现了该系统。系统的实现独立于具体应用,在J2EE访问控制机制基础之上,通过实现标准RBAC模型,弥补了J2EE访问控制机制中的一些不足。该系统易于实现复杂安全策略,具有良好的扩展性、可移植性和通用性。本文还通过系统的成功应用,验证了其在企业级应用访问控制方面的有效性和实用性。论文工作对J2EE架构下访问控制技术的应用研究提供了有益的参考。
To comply with the rapid development of network technology and the Internet, Sun Corporation brings forward the J2EE norm, which has been an industrial standard for enterprise development now. As the Java programming language has been an important part of the development of enterprise application, the security of system has been paid more and more attention to. Access control, an indispensable part of security structure, is one of the keys to solve security problems, and Role-based Access Control (RBAC) becomes the most popular access control model for its agility and facility in authorization management. Nowadays, J2EE is widely used as a platform for enterprise development. Its access control mechanism is mainly based on RBAC, but due to the defects in this mechanism itself, the access control of J2EE platform can not show the advantages of RBAC perfectly.
To solve this problem, firstly this thesis took an in-depth research on RBAC model and access control mechanism of J2EE. In RBAC model, users and access permissions are logically separated with roles. In this way, the complexity of authorization management is greatly decreased, and dynamic and complex access control strategy can be easily realized. As a Role-based security mechanism, the access control mechanism of J2EE protects the security of applications with authentication and authorization. JAAS, a scalable framework for authentication and authorization, is a very important technology to implement the access control of J2EE.
And then, this thesis did a further analysis on the difference between the access control mechanism of J2EE and RBAC model and also pointed out the disadvantages of J2EE's access control mechanism considering the unique requirement on enterprise application.It does not support the hierarchical and constrained relations between roles, and neither supports the dynamic management in role and permission etc, while the RBAC does.
On the basis of the research, the subject brought out a RBAC access control system prototype according to J2EE security standard. This subject also carried out a system under J2EE with technologies such as JAAS. The implementation of the system is separate from any specific application. On the basis of J2EE access control, the system covers some of the shortages of the J2EE access control mechanism with implementing the standard RBAC model. It's easy for the system to realize complex security strategy with a good scalability, portability and versatility. At the end of this thesis, the successful application of prototype system validated its effectiveness and practicability in access control of enterprise application. This thesis will bring useful reference to the application research of the access control technology with J2EE framework.
引文
[1]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(01):76-82.
[2]Marco Pistoia,Nataraj Nagaratnam 等.企业级Java安全性-构建安全的J2EE应用[M].尹亚,明喻卫,严进宝,译.北京:清华大学出版社,2005:47-131.
[3]Obelheiro R.R.,Fraga J.S.Role-based Access Control for CORBA Distributed Object Systems[C].WORDS,Proceedings of the The Seventh IEEE International Workshop on Object-Oriented Real-Time Dependable Systems(WORDS 2002):53-60.
[4]William Tolone,Gail-Joon Aim,Tanusree Pal,et al.Access control in collaborative systems [J].ACM Computing Surveys(CSUR),2005,37(1):29-41.
[5]David Ferraiolo,Richard Kulm.Role-BasedAccess Control[C].In 15th NIST-NCSC National Computer Security Conference,1992:554-563.
[6]Ravi Sandhu,Edward Coyne,Hal Feinstein,et al.Role-Based access control models[J].IEEE Computer,1996,29(2):38-47.
[7]Ravi Sandhu,Venkata Bhamidipati,Qamar Munawer.The ARBAC97 Model for Role-Based Administration of Roles[J].ACM Transactions on Information and Syste Security (TISSEC),1999,2(1):105-135.
[8]David F.Ferraiolo,Ravi Sandhu,Serban Gavrila,et al.Proposed NIST standard for role-based access control[J].ACM Transactions on Information and System Security (TISSEC),2001,4(3):224-274.
[9]马水平.基于角色的安全访问控制机制的研究[D].青岛:中国海洋大学,2005.
[10]马建平.一种无干扰的访问控制模型[D].武汉:华中理工大学,1994.
[11]钟华,冯玉琳,姜洪安.扩充角色层次关系模型及其应用[J].软件学报,2000,11(6):779-784.
[12]黄益民,平玲娣,潘雪增.一种基于角色的访问控制扩展模型及其实现[J].计算机研究与发展,2003,40(10):1521-1528.
[13]黎光伟.基于 J2EE 的机场软件及相关模块的设计与实现[D].成都:电子科技大学,2004.
[14]赵秀凤,郭渊博.一种基于角色和任务的访问控制模型[J].微计算机信息,2007,23(11-3):63-64.
[15]刘伟.基于角色的访问控制研究及其应用[D].成都:四川大学,2004.
[16]Dvaid F.Ferraiolo,D.Richard Kuhn,Ramaswamy Chandramouli[M].Role-Based Acces Control.Norwood:Artech House,2003:134-187.
[17]戴宗坤,罗万伯,唐三平等.信息系统安全[M].北京:金城出版社,2000:2-10.
[18]Alapan Amab,Andrew Hutchison.Persistent access control:a formal model for drm[C].ACM Workshop On Digital Rights Management,Proceedings of the 2007 ACM workshop on Digital Rights Management,2007:41-53.
[19]普继光.基于角色的访问控制系统的设计和应用[D].成都:电子科技大学,2004.
[20]Walid Rjaibi,Paul Bird.A multi-purpose implementation of mandatory access control in relational database management systems[C].Proceedings of the Thirtieth international conference on Very large data bases,2004,30:1010-1020.
[21]Sylvia Osborn,Ravi Sandhu,Qamar Munawer.Configuring role-based access control to enforce mandatory and discretionary access control policies[J].ACM Transactions on Information and System Security(TISSEC),2000,3(2):85-106.Osbom[22]Joon.S.Park,Ravi.Sandhu,Gail-Joon.Ahn.Role-Based Access Control on the Web[J].ACM Transaction Inform ation and System Security(TISSEC),2001,4(1):37-71.
[23]周伟平,陆松年.RBAC访问控制研究[J].计算机安全,2007,2:11-13.
[24]丁振国,吴环宇.RBAC在管理信息系统中的应用[J].微计算机信息,2007,23(6-3):4-8.
[25]甘晟科.J2EE分布式环境中RBAC模型的研究与设计[D].南昌:南昌大学,2005.
[26]邹晓.基于角色的访问控制模型分析与实现[J].微计算机信息,2006,22(6-3):108-110.
[27]叶锡君,许勇,吴国新.基于角色的访问控制在 Web 中的实现技术[J].计算机程,2002,28(1):167-169.
[28]NIST.The NIST Model for Role-Based Access Control:Towards A Unified Standard [EB/OL].(2000-07-26)[2008-02-17].http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf.
[29]网星工作室,伊晓强.J2EE全实例教程[M].北京:北京希望电子出版社,2002:1-12.
[30]陈华军.J2EE构建企业级应用解决方案[M].北京:人民邮电出版社,2002:1-10.
[31]魏楚元,李涛深.J2EE安全机制的分析与研究[J].计算机工程与设计,2005,26(6):1434-1437.
[32]裴德志.基于J2EE的WEB安全研究[D].武汉:武汉理工大学,2006.
[33]Christopher Steel,Ramesh Nagappan,Ray Lai.Core Sercurity Patterns:Best Practices and Strategies for J2EE,Web Services,and Identity Management[M].Prentice Hall PTR,2005.10.14:307-381.
[34]张晓刚.应用J2EE设计和实现基于WEB的分布式企业信息系统[D].西安:西安电子科技大学,2005.
[35]Bill Shannon,Mark Hapner,Eduardo Pelegri-Llopart,et al.Java 2 Platform Enterprise Edition Platform And Component Specifications[M].Addison Wesley Pub Co,2000.5.26:17-38.
[36]Marco Pistoia,Nataraj Nagaranam,Larry Koved,et al.Enterprise Java 2 Security:Building Secure and Robust J2EE Application[M].Addison Wesley Pub Co,2004.2.17:67-121.
[37]Ed Roman,Rima Pacel Sriganesh,Gerald Bmse.精通EJB[M].罗时飞译.北京:电子工业出版社,2005:269-302.
[38]Sun Microsystems.Java~(TM)Platform Enterprise Edition,v 5.0 API Specifications[EB/OL].(2007-10-19)[2008-02-23].http://java.sun.com/javaee/5/docs/api/.
[39]Rubin,Btad.JAVA 安全性,第二部分:认证与授权[EB/OL].(2001-10-11)[2008-02-23].http://www.ibm.com/developerworks/cn/views/java/tutorials.jsp?cv_doc_id=84887.
[40]Sun Microsystems.Java authentication and authorization service(JAAS)reference guide [EB/OL].(2001-08-08)[2008-02-27].http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/mtorials/.
[41]Gleb Naumovich,Paolina Centonze.Static Analysis of Role=Based Access Control in J2EE Applications[J].ACM SIGSOFT Software Engineering Notes,2004,29(5):1-10.
[42]彭海.J2EE安全策略中验证机制的改进与实现[D].重庆:重庆大学,2006.
[43]张志立,张鹏,齐德昱.基于J2EE的Web应用开发中安全问题的研究[J].武汉理工大学学报(交通科学与工程版),2005,29(2):300-303.
[44]Sinpool.Java 中 SHAI-hash(SHA1校验码)的解决方案[EB/OL].(2007-07-01)[2008-03-01].http://sinpool.blogdriver.com/sinpool/1280589.html.
[45]严蔚敏,吴伟民.数据结构[M].北京:清华大学出版社,2002:156-190.
[46]佟强,周园春,吴开超等.基于过滤器的Web访问模式挖掘[J].计算机工程,2007,33(6):59-61
[2]Marco Pistoia,Nataraj Nagaratnam 等.企业级Java安全性-构建安全的J2EE应用[M].尹亚,明喻卫,严进宝,译.北京:清华大学出版社,2005:47-131.
[3]Obelheiro R.R.,Fraga J.S.Role-based Access Control for CORBA Distributed Object Systems[C].WORDS,Proceedings of the The Seventh IEEE International Workshop on Object-Oriented Real-Time Dependable Systems(WORDS 2002):53-60.
[4]William Tolone,Gail-Joon Aim,Tanusree Pal,et al.Access control in collaborative systems [J].ACM Computing Surveys(CSUR),2005,37(1):29-41.
[5]David Ferraiolo,Richard Kulm.Role-BasedAccess Control[C].In 15th NIST-NCSC National Computer Security Conference,1992:554-563.
[6]Ravi Sandhu,Edward Coyne,Hal Feinstein,et al.Role-Based access control models[J].IEEE Computer,1996,29(2):38-47.
[7]Ravi Sandhu,Venkata Bhamidipati,Qamar Munawer.The ARBAC97 Model for Role-Based Administration of Roles[J].ACM Transactions on Information and Syste Security (TISSEC),1999,2(1):105-135.
[8]David F.Ferraiolo,Ravi Sandhu,Serban Gavrila,et al.Proposed NIST standard for role-based access control[J].ACM Transactions on Information and System Security (TISSEC),2001,4(3):224-274.
[9]马水平.基于角色的安全访问控制机制的研究[D].青岛:中国海洋大学,2005.
[10]马建平.一种无干扰的访问控制模型[D].武汉:华中理工大学,1994.
[11]钟华,冯玉琳,姜洪安.扩充角色层次关系模型及其应用[J].软件学报,2000,11(6):779-784.
[12]黄益民,平玲娣,潘雪增.一种基于角色的访问控制扩展模型及其实现[J].计算机研究与发展,2003,40(10):1521-1528.
[13]黎光伟.基于 J2EE 的机场软件及相关模块的设计与实现[D].成都:电子科技大学,2004.
[14]赵秀凤,郭渊博.一种基于角色和任务的访问控制模型[J].微计算机信息,2007,23(11-3):63-64.
[15]刘伟.基于角色的访问控制研究及其应用[D].成都:四川大学,2004.
[16]Dvaid F.Ferraiolo,D.Richard Kuhn,Ramaswamy Chandramouli[M].Role-Based Acces Control.Norwood:Artech House,2003:134-187.
[17]戴宗坤,罗万伯,唐三平等.信息系统安全[M].北京:金城出版社,2000:2-10.
[18]Alapan Amab,Andrew Hutchison.Persistent access control:a formal model for drm[C].ACM Workshop On Digital Rights Management,Proceedings of the 2007 ACM workshop on Digital Rights Management,2007:41-53.
[19]普继光.基于角色的访问控制系统的设计和应用[D].成都:电子科技大学,2004.
[20]Walid Rjaibi,Paul Bird.A multi-purpose implementation of mandatory access control in relational database management systems[C].Proceedings of the Thirtieth international conference on Very large data bases,2004,30:1010-1020.
[21]Sylvia Osborn,Ravi Sandhu,Qamar Munawer.Configuring role-based access control to enforce mandatory and discretionary access control policies[J].ACM Transactions on Information and System Security(TISSEC),2000,3(2):85-106.Osbom[22]Joon.S.Park,Ravi.Sandhu,Gail-Joon.Ahn.Role-Based Access Control on the Web[J].ACM Transaction Inform ation and System Security(TISSEC),2001,4(1):37-71.
[23]周伟平,陆松年.RBAC访问控制研究[J].计算机安全,2007,2:11-13.
[24]丁振国,吴环宇.RBAC在管理信息系统中的应用[J].微计算机信息,2007,23(6-3):4-8.
[25]甘晟科.J2EE分布式环境中RBAC模型的研究与设计[D].南昌:南昌大学,2005.
[26]邹晓.基于角色的访问控制模型分析与实现[J].微计算机信息,2006,22(6-3):108-110.
[27]叶锡君,许勇,吴国新.基于角色的访问控制在 Web 中的实现技术[J].计算机程,2002,28(1):167-169.
[28]NIST.The NIST Model for Role-Based Access Control:Towards A Unified Standard [EB/OL].(2000-07-26)[2008-02-17].http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf.
[29]网星工作室,伊晓强.J2EE全实例教程[M].北京:北京希望电子出版社,2002:1-12.
[30]陈华军.J2EE构建企业级应用解决方案[M].北京:人民邮电出版社,2002:1-10.
[31]魏楚元,李涛深.J2EE安全机制的分析与研究[J].计算机工程与设计,2005,26(6):1434-1437.
[32]裴德志.基于J2EE的WEB安全研究[D].武汉:武汉理工大学,2006.
[33]Christopher Steel,Ramesh Nagappan,Ray Lai.Core Sercurity Patterns:Best Practices and Strategies for J2EE,Web Services,and Identity Management[M].Prentice Hall PTR,2005.10.14:307-381.
[34]张晓刚.应用J2EE设计和实现基于WEB的分布式企业信息系统[D].西安:西安电子科技大学,2005.
[35]Bill Shannon,Mark Hapner,Eduardo Pelegri-Llopart,et al.Java 2 Platform Enterprise Edition Platform And Component Specifications[M].Addison Wesley Pub Co,2000.5.26:17-38.
[36]Marco Pistoia,Nataraj Nagaranam,Larry Koved,et al.Enterprise Java 2 Security:Building Secure and Robust J2EE Application[M].Addison Wesley Pub Co,2004.2.17:67-121.
[37]Ed Roman,Rima Pacel Sriganesh,Gerald Bmse.精通EJB[M].罗时飞译.北京:电子工业出版社,2005:269-302.
[38]Sun Microsystems.Java~(TM)Platform Enterprise Edition,v 5.0 API Specifications[EB/OL].(2007-10-19)[2008-02-23].http://java.sun.com/javaee/5/docs/api/.
[39]Rubin,Btad.JAVA 安全性,第二部分:认证与授权[EB/OL].(2001-10-11)[2008-02-23].http://www.ibm.com/developerworks/cn/views/java/tutorials.jsp?cv_doc_id=84887.
[40]Sun Microsystems.Java authentication and authorization service(JAAS)reference guide [EB/OL].(2001-08-08)[2008-02-27].http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/mtorials/.
[41]Gleb Naumovich,Paolina Centonze.Static Analysis of Role=Based Access Control in J2EE Applications[J].ACM SIGSOFT Software Engineering Notes,2004,29(5):1-10.
[42]彭海.J2EE安全策略中验证机制的改进与实现[D].重庆:重庆大学,2006.
[43]张志立,张鹏,齐德昱.基于J2EE的Web应用开发中安全问题的研究[J].武汉理工大学学报(交通科学与工程版),2005,29(2):300-303.
[44]Sinpool.Java 中 SHAI-hash(SHA1校验码)的解决方案[EB/OL].(2007-07-01)[2008-03-01].http://sinpool.blogdriver.com/sinpool/1280589.html.
[45]严蔚敏,吴伟民.数据结构[M].北京:清华大学出版社,2002:156-190.
[46]佟强,周园春,吴开超等.基于过滤器的Web访问模式挖掘[J].计算机工程,2007,33(6):59-61