基于LDAP的单点登录系统研究与实现
|
摘要
随着计算硬件价格的不断降低和网络技术的日益普及,现代企业拥有越来越多的各类应用系统,以完成不同的生产、管理需求,同时我们发现,这些应用系统往往相互独立,彼此很少关联,并且使用的开发平台也不统一,给用户使用带来一系列的问题,其中最主要的问题,储如:数据共享、用户身份、角色难统一,导致同一用户不得不在访问不同应用系统中进行多次身份的认证和确认。随着这些相互独立的必须的登录数量的增长,用户需要记住的用户名和密码数量也在激增。结果常常是一些不幸的用户可能把用户和密码写下来以免忘记,而在无意中引起了诸多严重的安全问题。受害的范围还可能会扩展到企业以外,商务伙伴、业界代表和客户也可能要从企业外面访问Web门户或者应用程序(一般通过Internet),而且他们也可能会被要求多次登录。用户需要一个统一的登录方案,即用户登录一次即可访问其他应用的方案——单点登录Single Sign-On (SSO)。
本文从企业现有应用系统的实际情况出发,在较深入地研究了各种单点登录现有技术基础上,提出了基于IBM Domino内置的LDAP(Lightweight Directory Access Protocol)的单点登录解决方案。该方案采用已有的LDAP目录服务提供用户身份数据,分别以HTTPCookies认证、表单认证、LTPA(Lightweight Third Party Authentication)认证和基于JAAS(Java Authentication and Authorization Service)框架的认证服务提出了四种对用户进行统一认证的实现方案。并以其中的一种方案具体实现了两个应用系统间基于LDAP的单点登录。文中详细分析了实现SSO所需的关键技术和具体实现方法,最后还对该SSO方案的性能进行了讨论。该文为多应用系统的集成和身份认证提供了一种参考模式和思路。
With the decreasing of computer hardware’s price and the popularity of network development,more and more modern enterprises have many kinds of IT application systems. In order to complete the demand of different production,and management. Simultaneously, we discovered that these application systems often independent, less connection,And these development platforms are not unified. These will bring series of problems for they users. Main questions, such as:data sharing and user authentication. In order to use different application system, those who have been authenticated must be authenticated for many times. Along with the growth of these independent systems,users need to remember the different user names and passwords. Frequently, In order to avoid loss,the result is some unfortunate users possibly wrote down the usernames and his passwords. Accidentally, this will cause many serious security problems. Possibly,The scope of suffering injury will expand to the enterprise outside,The business partner,the business represent and customers also possibly to visit the website or the application(via the internet). Moreover,they also possibly requested to register many times. The user needs a unified Single Sign-On system. Namely, the user sign one time and authorize to visit other applications -- Single Sign-On the (SSO).
Based on many kinds of SSO (Single Sign-On) technology, this article embarks from the enterprise existing application system, provids a simple solution of SSO. This strategy uses IBM Domino LDAP(Lightweight Directory Access Protocol) service to provide the user authenticity information, and uses Http Cookies、Form、LTPA(lightweight third party authentication)、JAAS(Java Authentication and Authorization Service)as a basic authentication structure. This article provides the key technology of SSO and some useful methods to achieve SSO. At last,The article discusses the performance of the SSO system. All in all, The article has provided one kind of reference to integrate the complex IT application system and the methods of user’s identification authenticating.
本文从企业现有应用系统的实际情况出发,在较深入地研究了各种单点登录现有技术基础上,提出了基于IBM Domino内置的LDAP(Lightweight Directory Access Protocol)的单点登录解决方案。该方案采用已有的LDAP目录服务提供用户身份数据,分别以HTTPCookies认证、表单认证、LTPA(Lightweight Third Party Authentication)认证和基于JAAS(Java Authentication and Authorization Service)框架的认证服务提出了四种对用户进行统一认证的实现方案。并以其中的一种方案具体实现了两个应用系统间基于LDAP的单点登录。文中详细分析了实现SSO所需的关键技术和具体实现方法,最后还对该SSO方案的性能进行了讨论。该文为多应用系统的集成和身份认证提供了一种参考模式和思路。
With the decreasing of computer hardware’s price and the popularity of network development,more and more modern enterprises have many kinds of IT application systems. In order to complete the demand of different production,and management. Simultaneously, we discovered that these application systems often independent, less connection,And these development platforms are not unified. These will bring series of problems for they users. Main questions, such as:data sharing and user authentication. In order to use different application system, those who have been authenticated must be authenticated for many times. Along with the growth of these independent systems,users need to remember the different user names and passwords. Frequently, In order to avoid loss,the result is some unfortunate users possibly wrote down the usernames and his passwords. Accidentally, this will cause many serious security problems. Possibly,The scope of suffering injury will expand to the enterprise outside,The business partner,the business represent and customers also possibly to visit the website or the application(via the internet). Moreover,they also possibly requested to register many times. The user needs a unified Single Sign-On system. Namely, the user sign one time and authorize to visit other applications -- Single Sign-On the (SSO).
Based on many kinds of SSO (Single Sign-On) technology, this article embarks from the enterprise existing application system, provids a simple solution of SSO. This strategy uses IBM Domino LDAP(Lightweight Directory Access Protocol) service to provide the user authenticity information, and uses Http Cookies、Form、LTPA(lightweight third party authentication)、JAAS(Java Authentication and Authorization Service)as a basic authentication structure. This article provides the key technology of SSO and some useful methods to achieve SSO. At last,The article discusses the performance of the SSO system. All in all, The article has provided one kind of reference to integrate the complex IT application system and the methods of user’s identification authenticating.
引文
[1] 中国信息安全产品测评认证中心. 信息安全理论和技术. 人民邮电出版社. 2003,107-134,181-195
[2] 程宏斌,孙霞. 单点登录技术研究. 计算机时代,2004-05-01
[3] 湖南电力公司,昆明锐祺电脑有限公司. 湖南电力公司办公自动化系统管理手册,2005-10,69-71
[4] 湖南电力公司,清华紫光股份有限公司. 湖南电力公司档案系统快速指南,2005-10,4-20
[5] 邱航,权勇. 基于 Kerberos 的单点登录系统研究与设计. 计算机应用,2003-07 -01
[6] 马华星,陈剑波. 上海交通大学现代通讯研究所. EAI 环境下 SSO 实现模式的研究. 信息安全与通讯保密,2004-02-01
[7] 刘华,周熙襄,钏本善. 利用 Java 和 XML 在 LotusDominoWeb 环境中实现跨平台数据交互. 四川师范大学学报(自然科学版),2003-05
[8] IBM WebSphere 文档中心安全部分,http://publib.boulder.ibm.com/infocenter/ ws40help/topic/com.ibm.websphere.v4.doc/wass_content/pdf/nav_Securityguide.pdf,2005-11-23
[9] 杨兆赞. Lotus Domino 和 WebSphere 平台上单点登录技术的研究与实现.计算机辅助工程,2004-03-01
[10] Gianluca Brigandi Integrating Java Open Single Sign-On in Pluto,http://today. Java.net/pub/a/today/2005/02/18/josso.html,2005-02-18
[11] 杨波,王常吉,段海新,吴建平. 基于 PKIPMI 的校园网安全单一登录方案.网络通信与安全,2004-12-01
[12] 陈莉,杨贯中. LDAP 的研究与在校园网统一身份认证中的应用 株洲师范高等专科学校学报,2004-04
[13] 雷远平. 网络门户网站登录技术研究. 武汉理工大学学报,2003-10-01
[14] 兰雨晴,贾素玲,尹璐,王强. R6 Lotus Domino/Notes 系统管理. 机械工业出版社,2004,289-356
[15] 马 东 辉 . http://www.1to2.us/Lotus-Domino-Notes-a73598.htm Lotus Domino/Notes 中的安全技术,2001,55-88
[16] 尹文平,兰雨晴,高静. 基于 LDAP 的用户统一身份认证. 计算机系统应用,2005-10
[17] IBM redbooks http://www.redbooks.ibm.com/redpapers/pdfs/redp4102.pdf ,sg245986.pdf,sg246193.pdf,sg247028.pdf,sg244986.pdf,sg246163.pdf,2004-02
[18] Stephen Asbury,Scott Weiner Java 企业级应用开发指南. 机械工业出版社,2004-01-01,45-173
[19] Marco Pistoia,Nataraj Nagaratnam 企业级 Java 安全性―构建安全的 J2EE 应用. 清华大学出版社,2005,72-109,203-246
[20] 王奇,张凡. JAAS 在单点登录系统中的研究与应用. 微机发展,2005-01-01
[21] 任勇刚,胡宏涛. J2EE 与 DOMINO 的应用协作研究. 福建电脑,2005-06
[22] Aguide to Developing Secure Domino Applications ― Lotus white Paper,1999
[23] 肖红跃. 信息安全领域现状分析. 计算机安全,2004-12-01
[24] 谢东青,冷健. PKI 原理与技术. 清华大学出版社,2004,49-119,142-181,239-282
[25] 毛捍东,张维明. 一个基于 Web 服务的单点登录系统.计算机工程与应用,2004-12-01
[26] John Ray TCP/IP 开发使用手册. 机械工业出版社,1999,76-113
[27] 张颖江,郑秋华,李腊元. 单次登录技术分析及集中身份认证平台设计. 武汉理工大学学报,2004-04-01
[28] 刘寅虓. 系统分析之路. 电子工业出版社,2005-05,405-458
[29] 马晓强. 定制自己的 WebLogic LDAP Authentication Provider http://dev2dev. bea.com.cn/techdoc/200504502.html,2005-04
[30] http://www.automatedlogic.com/domblog.nsf/dx/DominoTomcatSSOIntegration,2005-10-06
[31] eToken Simple Sign-On Credential Management For Application Logon,http://ealaddin.com/etoken/,2003-06-15
[32] Gary Tagg http:/www.tagg-consulting.co.uk/kerberos.pdf Implementing a Kerberos Single Sign-on Infrastructure,2004-08-12
[33] Microsoft .Net Passport Docment,http://www.passport.net,2004-01-05
[34] Guy C. Yost Digital Certificates for authentication:a business analysis,http://www.naspa.com/PDF/99/T9911001.pdf,1999-11-01
[35] Single Sign-On Enterprise Access Made Secure and Easy,http://www3.ca.com /Files/IndustryAnalystReports/ca_sso_whitepaper.pdf,2000-06-23
[36] Sun Java System Access Manager Delivering Open,Standards-Based Access Control Across Intranets and Extranets, http: //de.sun.com/documentation/ datenblaetter/pdf_downloads/SunJavaSystem AccessManager.pdf,2003-11-06
[37] OracleAdvancedSecurityOption, http://www.cgisecurity.com/database/oracle/pdf/aso8i_ds.pdf,2005-12-05
[38] XML Web Services Security Going Production,http://www.xmltrustcenter. org/developer/westbridge/docs/Westbridge_XML_Web_Services_Security_Whitepaper.pdf,2004-07-16
[39] Dr. Srinivas Padmanabhuni,Web Services Security Standards Explained,http://www.infosys.com/Technology/securitypaper.pdf,2005-10-24
[40] Birgit Pfitzmann,Michael Waidner Single-Sign-on with Enabled Clients,http://mega.ist.utl.pt/~ic-arge/arge-03-04/bibliografia/single-sign-on-internet-computing.pdf,2005-06-27
[41] Michele Galic A Secure PortalExtended With Single Sign-On , http ://www.redbooks.ibm.com/redpapers pdfs/redp3743.pdf,2005-08-22
[42] X/Open Single Sign-On Service (XSSO)Pluggable Authentication Modules,http://www.opengroup.org/Jossoindex.pdf,2005-03-22
[43] WebSphere Application Server and Lotus Domino Scenario Overview,http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/experience/pdfwsdomino.pdf,2004-11-25
[44] 肖菁 WebSphere 环境下的 SSO(Single Sign-On:单点登录、全网漫游)实现之 SSO 实 现 技 术 准 备 . http://www-900.ibm.com/developerWorks/cn/wsdd /library/techarticles/xiaojing/SSOprepare/SSOprepare.shtml,2003-08-01
[45] 李小平,阎光伟,王轩峰,李德治,张扬,张琳. 基于公开密钥基础设施的单点登录系统的设计. 北京理工大学学报,2002-04-05
[46] 周世祥,温巧燕,罗守山,杨义先. 口令认证与口令管理. 中国数据通讯,2002-12-01
[47] 胡兴志,王纪坤. 目录服务及其在单点登录中的作用. 华北科技学院学报, 2002-12-01
[48] 高俊娜,于继万,朱华飞,潘雪增. 一种新的 SIP SSO 机制. 计算机应用,2004-05-01
[49] 李晓阳,史伟奇,倪惜珍. 基于 SPKM 的单点登录的研究. 计算机工程与应用,2005-03-01
[50] 林满山,郭荷清,尹剑飞,高学勤. 基于信任度的网络应用对等单点登录.华南理工大学学报(自然科学版),2004-10-01
[51] 铁安联盟网络安全解决方案专题连载--基于代理机制的访问控制系统. 信息安全与通信保密,2004-12-01
[52] RFC 系列文档:http://www.ietf.org/rfc/rfc1510.txt,rfc3377.txt,rfc2849.txt,rfc2830.txt,rfc2829.txt,rfc2714.txt,rfc2713.txt,rfc2251.txt,rfc2252.txt,rfc 2253.txt,rfc2254.txt,rfc2255.txt,rfc2256.txt,rfc2307.txt,rfc2377.txt,rfc2596.txt
[53] Sean Christofferson 等. Bea WeblogicWorkshop 构建下一代Web Services 电子工业出版社,2003,210-242
[54] [美]谢小乐. J2EE 经典实例详解. 人民邮电出版社,2003,155-182,282-302
[55] 易文韬,陈颖平. Java 编程手册. 科学出版社,2000,297-302
[56] 靳芬,秦肖臻,王卓,汪秉文. 用 JSP 创建基于 WebSphere 的 DominoWeb应用. 微机发展,2004-10
[57] 姚争为. 关于 Lotus Domino/notes 的 Web 认证问题的探讨. 福建电脑,2005-03
[58] Heinz Johner,Seiei Fujiwara,Amelia Sm Yeung,Anthony Stephanou,Jim Whitmore Deploying a Public Key Infrastructure,2003
[59] Vivekanand R.Cudgar Security Features of Lotus Notes/Domino Groupware SANS Institute,2002
[60] Amy E.Smith,ShiuFun poon,John wary Be the authority on the Domino 6 Certificate Authority,2002
[61] Eric J.Naiburg,Robert A.Maksimchuk UML 数据库设计应用. 人民邮电出版社,2002,36-50
[62] Mayank Upadhyay,Ram Marti Single Sign-on Using Kerberos in Java Sun Microsystems,Inc,2005-07
[63] Mattias Arthursson,Ulrik Sandberg LdapTemplate: LDAP Programming in Java Made Simple,2006-04
[2] 程宏斌,孙霞. 单点登录技术研究. 计算机时代,2004-05-01
[3] 湖南电力公司,昆明锐祺电脑有限公司. 湖南电力公司办公自动化系统管理手册,2005-10,69-71
[4] 湖南电力公司,清华紫光股份有限公司. 湖南电力公司档案系统快速指南,2005-10,4-20
[5] 邱航,权勇. 基于 Kerberos 的单点登录系统研究与设计. 计算机应用,2003-07 -01
[6] 马华星,陈剑波. 上海交通大学现代通讯研究所. EAI 环境下 SSO 实现模式的研究. 信息安全与通讯保密,2004-02-01
[7] 刘华,周熙襄,钏本善. 利用 Java 和 XML 在 LotusDominoWeb 环境中实现跨平台数据交互. 四川师范大学学报(自然科学版),2003-05
[8] IBM WebSphere 文档中心安全部分,http://publib.boulder.ibm.com/infocenter/ ws40help/topic/com.ibm.websphere.v4.doc/wass_content/pdf/nav_Securityguide.pdf,2005-11-23
[9] 杨兆赞. Lotus Domino 和 WebSphere 平台上单点登录技术的研究与实现.计算机辅助工程,2004-03-01
[10] Gianluca Brigandi Integrating Java Open Single Sign-On in Pluto,http://today. Java.net/pub/a/today/2005/02/18/josso.html,2005-02-18
[11] 杨波,王常吉,段海新,吴建平. 基于 PKIPMI 的校园网安全单一登录方案.网络通信与安全,2004-12-01
[12] 陈莉,杨贯中. LDAP 的研究与在校园网统一身份认证中的应用 株洲师范高等专科学校学报,2004-04
[13] 雷远平. 网络门户网站登录技术研究. 武汉理工大学学报,2003-10-01
[14] 兰雨晴,贾素玲,尹璐,王强. R6 Lotus Domino/Notes 系统管理. 机械工业出版社,2004,289-356
[15] 马 东 辉 . http://www.1to2.us/Lotus-Domino-Notes-a73598.htm Lotus Domino/Notes 中的安全技术,2001,55-88
[16] 尹文平,兰雨晴,高静. 基于 LDAP 的用户统一身份认证. 计算机系统应用,2005-10
[17] IBM redbooks http://www.redbooks.ibm.com/redpapers/pdfs/redp4102.pdf ,sg245986.pdf,sg246193.pdf,sg247028.pdf,sg244986.pdf,sg246163.pdf,2004-02
[18] Stephen Asbury,Scott Weiner Java 企业级应用开发指南. 机械工业出版社,2004-01-01,45-173
[19] Marco Pistoia,Nataraj Nagaratnam 企业级 Java 安全性―构建安全的 J2EE 应用. 清华大学出版社,2005,72-109,203-246
[20] 王奇,张凡. JAAS 在单点登录系统中的研究与应用. 微机发展,2005-01-01
[21] 任勇刚,胡宏涛. J2EE 与 DOMINO 的应用协作研究. 福建电脑,2005-06
[22] Aguide to Developing Secure Domino Applications ― Lotus white Paper,1999
[23] 肖红跃. 信息安全领域现状分析. 计算机安全,2004-12-01
[24] 谢东青,冷健. PKI 原理与技术. 清华大学出版社,2004,49-119,142-181,239-282
[25] 毛捍东,张维明. 一个基于 Web 服务的单点登录系统.计算机工程与应用,2004-12-01
[26] John Ray TCP/IP 开发使用手册. 机械工业出版社,1999,76-113
[27] 张颖江,郑秋华,李腊元. 单次登录技术分析及集中身份认证平台设计. 武汉理工大学学报,2004-04-01
[28] 刘寅虓. 系统分析之路. 电子工业出版社,2005-05,405-458
[29] 马晓强. 定制自己的 WebLogic LDAP Authentication Provider http://dev2dev. bea.com.cn/techdoc/200504502.html,2005-04
[30] http://www.automatedlogic.com/domblog.nsf/dx/DominoTomcatSSOIntegration,2005-10-06
[31] eToken Simple Sign-On Credential Management For Application Logon,http://ealaddin.com/etoken/,2003-06-15
[32] Gary Tagg http:/www.tagg-consulting.co.uk/kerberos.pdf Implementing a Kerberos Single Sign-on Infrastructure,2004-08-12
[33] Microsoft .Net Passport Docment,http://www.passport.net,2004-01-05
[34] Guy C. Yost Digital Certificates for authentication:a business analysis,http://www.naspa.com/PDF/99/T9911001.pdf,1999-11-01
[35] Single Sign-On Enterprise Access Made Secure and Easy,http://www3.ca.com /Files/IndustryAnalystReports/ca_sso_whitepaper.pdf,2000-06-23
[36] Sun Java System Access Manager Delivering Open,Standards-Based Access Control Across Intranets and Extranets, http: //de.sun.com/documentation/ datenblaetter/pdf_downloads/SunJavaSystem AccessManager.pdf,2003-11-06
[37] OracleAdvancedSecurityOption, http://www.cgisecurity.com/database/oracle/pdf/aso8i_ds.pdf,2005-12-05
[38] XML Web Services Security Going Production,http://www.xmltrustcenter. org/developer/westbridge/docs/Westbridge_XML_Web_Services_Security_Whitepaper.pdf,2004-07-16
[39] Dr. Srinivas Padmanabhuni,Web Services Security Standards Explained,http://www.infosys.com/Technology/securitypaper.pdf,2005-10-24
[40] Birgit Pfitzmann,Michael Waidner Single-Sign-on with Enabled Clients,http://mega.ist.utl.pt/~ic-arge/arge-03-04/bibliografia/single-sign-on-internet-computing.pdf,2005-06-27
[41] Michele Galic A Secure PortalExtended With Single Sign-On , http ://www.redbooks.ibm.com/redpapers pdfs/redp3743.pdf,2005-08-22
[42] X/Open Single Sign-On Service (XSSO)Pluggable Authentication Modules,http://www.opengroup.org/Jossoindex.pdf,2005-03-22
[43] WebSphere Application Server and Lotus Domino Scenario Overview,http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/experience/pdfwsdomino.pdf,2004-11-25
[44] 肖菁 WebSphere 环境下的 SSO(Single Sign-On:单点登录、全网漫游)实现之 SSO 实 现 技 术 准 备 . http://www-900.ibm.com/developerWorks/cn/wsdd /library/techarticles/xiaojing/SSOprepare/SSOprepare.shtml,2003-08-01
[45] 李小平,阎光伟,王轩峰,李德治,张扬,张琳. 基于公开密钥基础设施的单点登录系统的设计. 北京理工大学学报,2002-04-05
[46] 周世祥,温巧燕,罗守山,杨义先. 口令认证与口令管理. 中国数据通讯,2002-12-01
[47] 胡兴志,王纪坤. 目录服务及其在单点登录中的作用. 华北科技学院学报, 2002-12-01
[48] 高俊娜,于继万,朱华飞,潘雪增. 一种新的 SIP SSO 机制. 计算机应用,2004-05-01
[49] 李晓阳,史伟奇,倪惜珍. 基于 SPKM 的单点登录的研究. 计算机工程与应用,2005-03-01
[50] 林满山,郭荷清,尹剑飞,高学勤. 基于信任度的网络应用对等单点登录.华南理工大学学报(自然科学版),2004-10-01
[51] 铁安联盟网络安全解决方案专题连载--基于代理机制的访问控制系统. 信息安全与通信保密,2004-12-01
[52] RFC 系列文档:http://www.ietf.org/rfc/rfc1510.txt,rfc3377.txt,rfc2849.txt,rfc2830.txt,rfc2829.txt,rfc2714.txt,rfc2713.txt,rfc2251.txt,rfc2252.txt,rfc 2253.txt,rfc2254.txt,rfc2255.txt,rfc2256.txt,rfc2307.txt,rfc2377.txt,rfc2596.txt
[53] Sean Christofferson 等. Bea WeblogicWorkshop 构建下一代Web Services 电子工业出版社,2003,210-242
[54] [美]谢小乐. J2EE 经典实例详解. 人民邮电出版社,2003,155-182,282-302
[55] 易文韬,陈颖平. Java 编程手册. 科学出版社,2000,297-302
[56] 靳芬,秦肖臻,王卓,汪秉文. 用 JSP 创建基于 WebSphere 的 DominoWeb应用. 微机发展,2004-10
[57] 姚争为. 关于 Lotus Domino/notes 的 Web 认证问题的探讨. 福建电脑,2005-03
[58] Heinz Johner,Seiei Fujiwara,Amelia Sm Yeung,Anthony Stephanou,Jim Whitmore Deploying a Public Key Infrastructure,2003
[59] Vivekanand R.Cudgar Security Features of Lotus Notes/Domino Groupware SANS Institute,2002
[60] Amy E.Smith,ShiuFun poon,John wary Be the authority on the Domino 6 Certificate Authority,2002
[61] Eric J.Naiburg,Robert A.Maksimchuk UML 数据库设计应用. 人民邮电出版社,2002,36-50
[62] Mayank Upadhyay,Ram Marti Single Sign-on Using Kerberos in Java Sun Microsystems,Inc,2005-07
[63] Mattias Arthursson,Ulrik Sandberg LdapTemplate: LDAP Programming in Java Made Simple,2006-04