单点登录安全方案研究
|
摘要
随着企业信息化建设程度的不断提高,企业中的应用系统也越来越多。各系统往往都有自己的安全策略,由于各系统互相独立,一个用户在使用每一个应用系统之前,都必须按照相应的系统身份进行系统登陆。用户必须记住每一个系统的用户名和密码,这样一来出错的可能性会增加,受到非法截获和破坏的可能性也会增大,安全性就会相应降低。而如果用户忘记了口令,不能执行任务,就需要请求管理员的帮助,并只能在重新获得口令之前等待,造成了系统和安全管理资源的开销,降低了生产效率。由于上述原因,在市场上提出了这样的需求:用户可以基于最初访问网络时的一次身份验证,对所有被授权的网络资源进行无缝的访问。这样可以提高网络用户的工作效率,降低网络操作的费用,并提高网络的安全性。这样,单点登录技术应运而生。
本论文对单点登录技术进行了探讨,主要对系统工作流程和安全性方面进行了研究和总结。针对基于WEB技术的应用系统的特点,提出了一种基于WEB请求代理的单点登录的解决方案,采用了数字签名和SSL技术保证了系统的安全性,采用动态链接库技术增强了系统的可移植性和可扩展性。
本论文首先分析了多系统的应用所面临的问题,阐述了单点登录的必要性和重要性。然后深入分析比较了几种单点登录技术的特点,归纳总结了各自的优缺点以及适用环境。接着,研究了与单点登录相关的其他技术。在此基础上,给出了基于WEB请求代理的单点登录的解决方案的设计和实现。该方案将单点登录的核心功能封装在一个组件中,并采用了认证加密技术,既保证了单点登录系统的安全性,又符合WEB应用轻便、易扩展的特点。
With the enterprise informatization,enterprise applications are more and more. The system often has its own security policy. As a result of independent systems,a user must be in accordance with the appropriate identity for system login before in the use of each of the applications. Users must remember each system's username and password . This will increase the possibility of a mistake. And it will also increase the possibility of illegal interception and destruction ,security will be reduced. If the user has forgotten password,unable to perform the task,he need to request the help of the administrators,and have to wait until regained the password, resulted in resources costs,and reduced productivity. Due to the above-mentioned reasons,made such a demand in the market: user can access a network based on the initial authentication to access all authorized network resources seamlessly. So as to enhance the efficiency of users,reduce the cost of network operations andimprove network security. As a result, Single Sign-On technology came into being.
This paper studied the Single Sign-On Technology, research and summarizes the flow and security of the system. for the characteristics of WEB applications, proposed a Single Sign-On solution based on WEB request agent, use of digital signatures and SSL technology to guarantee the safety of the system, use of Dynamic-Link Library technology enhances system portability and extensibility.
This paper analysed the multi-system problems first,explained the necessity and importance of Single Sign-On. Then compared and analysed the characteristics of several Single Sign-On technology, summarized the advantages and disadvantages of each, as well as the application of environmental. Then,studied other technical related with Single Sign-On.On this basis, proposed a Single Sign-On solution based on WEB request agent. The solution will package the core functions of the Single Sign-On system to a components,and use authentication technology. The purpose is to ensure a Single Sign-On system security,and match WEB applications characteristics of light and easy to expand.
本论文对单点登录技术进行了探讨,主要对系统工作流程和安全性方面进行了研究和总结。针对基于WEB技术的应用系统的特点,提出了一种基于WEB请求代理的单点登录的解决方案,采用了数字签名和SSL技术保证了系统的安全性,采用动态链接库技术增强了系统的可移植性和可扩展性。
本论文首先分析了多系统的应用所面临的问题,阐述了单点登录的必要性和重要性。然后深入分析比较了几种单点登录技术的特点,归纳总结了各自的优缺点以及适用环境。接着,研究了与单点登录相关的其他技术。在此基础上,给出了基于WEB请求代理的单点登录的解决方案的设计和实现。该方案将单点登录的核心功能封装在一个组件中,并采用了认证加密技术,既保证了单点登录系统的安全性,又符合WEB应用轻便、易扩展的特点。
With the enterprise informatization,enterprise applications are more and more. The system often has its own security policy. As a result of independent systems,a user must be in accordance with the appropriate identity for system login before in the use of each of the applications. Users must remember each system's username and password . This will increase the possibility of a mistake. And it will also increase the possibility of illegal interception and destruction ,security will be reduced. If the user has forgotten password,unable to perform the task,he need to request the help of the administrators,and have to wait until regained the password, resulted in resources costs,and reduced productivity. Due to the above-mentioned reasons,made such a demand in the market: user can access a network based on the initial authentication to access all authorized network resources seamlessly. So as to enhance the efficiency of users,reduce the cost of network operations andimprove network security. As a result, Single Sign-On technology came into being.
This paper studied the Single Sign-On Technology, research and summarizes the flow and security of the system. for the characteristics of WEB applications, proposed a Single Sign-On solution based on WEB request agent, use of digital signatures and SSL technology to guarantee the safety of the system, use of Dynamic-Link Library technology enhances system portability and extensibility.
This paper analysed the multi-system problems first,explained the necessity and importance of Single Sign-On. Then compared and analysed the characteristics of several Single Sign-On technology, summarized the advantages and disadvantages of each, as well as the application of environmental. Then,studied other technical related with Single Sign-On.On this basis, proposed a Single Sign-On solution based on WEB request agent. The solution will package the core functions of the Single Sign-On system to a components,and use authentication technology. The purpose is to ensure a Single Sign-On system security,and match WEB applications characteristics of light and easy to expand.
引文
[1]王慧 基于WEB服务单点登录设计与实现沿海企业与科技2006年第四期。
[2]续岩,季永志 单点登录技术在Web应用中的研究与实现计算机工程2006年第十期。
[3]靳瑞芳 基于WEB单点登录系统的研究西北大学2007 6-8
[4]江淇,王群单点登录技术及其在图书馆中的应用 图书馆理论与实践2007年第四期。
[5]邓军,叶柏龙等基于验证代理的单点登录技术解决方案 电脑与信息技术2006年第三期。
[6]赵安军,曾应员等 网络安全技术与应用 人民邮电出版社2007.07 2-3。
[7]胡铮主编 网络与信息安全清华大学出版社 2006.05 145-149。
[8]电子签名的技术实现动网。http://www.cndw.com/news/4/2006031821566.asp
[9]王凤英、程震主编 网络与信息安全 中国铁道出版社2006.01 58。
[10]李涛编著 网络安全概论 电子工业出版社 2004 6-23,83-84,91-99。
[11]程光,张艳丽等 信息与网络安全 北京交通大学出版社 2008.06 36,55-56.
[12]密码技术简介 中国协议分析网。http://www.cnpaf.net/Class/hack/200610/15712.html
[13]关振胜编著 公钥基础设施PKI与认证机构CA 电子工业出版社2002。
[14]重定向 百度百科。http://baike.baidu.com/view/1245190.htm
[15]马亚娜,钱焕延等 用Cookie构建Web安全的实现计算机工程,2002。
[16]Session百度百科。http://baike.baidu.com/view/25258.html?tp=0_11
[17]袁德明,乔月圆编著 计算机网络安全 电子工业出版社 2007.06234-246
[18]李均锐,戴宗坤等SSL协议及其安全性分析.信息安全与通信保密200429-31
[19]动态链接库 百度百科。http://baike.baidu.com/view/147789.html?tp=0_01
[20]高焕芝 单点登录技术的研究 北京邮电大学2006.06
[21]蔡皖东编著 网络与信息安全西北工业大学出版社2004.04 222
[2]续岩,季永志 单点登录技术在Web应用中的研究与实现计算机工程2006年第十期。
[3]靳瑞芳 基于WEB单点登录系统的研究西北大学2007 6-8
[4]江淇,王群单点登录技术及其在图书馆中的应用 图书馆理论与实践2007年第四期。
[5]邓军,叶柏龙等基于验证代理的单点登录技术解决方案 电脑与信息技术2006年第三期。
[6]赵安军,曾应员等 网络安全技术与应用 人民邮电出版社2007.07 2-3。
[7]胡铮主编 网络与信息安全清华大学出版社 2006.05 145-149。
[8]电子签名的技术实现动网。http://www.cndw.com/news/4/2006031821566.asp
[9]王凤英、程震主编 网络与信息安全 中国铁道出版社2006.01 58。
[10]李涛编著 网络安全概论 电子工业出版社 2004 6-23,83-84,91-99。
[11]程光,张艳丽等 信息与网络安全 北京交通大学出版社 2008.06 36,55-56.
[12]密码技术简介 中国协议分析网。http://www.cnpaf.net/Class/hack/200610/15712.html
[13]关振胜编著 公钥基础设施PKI与认证机构CA 电子工业出版社2002。
[14]重定向 百度百科。http://baike.baidu.com/view/1245190.htm
[15]马亚娜,钱焕延等 用Cookie构建Web安全的实现计算机工程,2002。
[16]Session百度百科。http://baike.baidu.com/view/25258.html?tp=0_11
[17]袁德明,乔月圆编著 计算机网络安全 电子工业出版社 2007.06234-246
[18]李均锐,戴宗坤等SSL协议及其安全性分析.信息安全与通信保密200429-31
[19]动态链接库 百度百科。http://baike.baidu.com/view/147789.html?tp=0_01
[20]高焕芝 单点登录技术的研究 北京邮电大学2006.06
[21]蔡皖东编著 网络与信息安全西北工业大学出版社2004.04 222