一种基于SOA架构的统一身份认证系统的研究及实现
摘要
计算机网络和信息技术的迅速发展使得企业信息化的程度不断提高,在企业信息化过程中,诸如OA、CRM、ERP、OSS等越来越多的业务系统应运而生,提高了企业的管理水平和运行效率。但是网络资源越多,网络秩序越难加以控制,从而导致出现各种不安全可能,系统分散管理,缺乏统一的安全策略,安全强度也参差不齐。
现有的统一认证系统利用目录服务部分的解决了统一认证的问题,但是,由于其基于传统C/S模式的特点,在应用集成上存在不足。随着Web Service技术的发展和日渐广泛应用,其高度集成性、松散耦合和实现简单等特点使其在应用集成上发挥着重要的作用。随着面向服务的体系结构(SOA)的兴起,SOA更能提高应用程序易维护性和易开发性,更容易地使业务和IT紧密结合。
基于单点登录技术的发展,本文提出基于SOA框架的松耦合统一身份认证系统模型,该系统可对所有被授权的网络资源进行无缝访问。用户只需输入一次用户名和密码,通过身份认证并获取相应的权限,即可访问所有被授权的服务。不用面对不同的系统记住不同的用户名和密码,从而提高用户和管理员的工作效率,降低网络操作费用,并且不降低网络的安全性和操作的简便性。
统一身份认证系统中用户一旦通过身份验证,持有认证令牌即可访问所有被授权的服务。所以令牌的安全传输及各系统与认证服务器间的相互信任,不可否认地成了影响系统实现的主要问题。实现过程中主要存在着中间人攻击、重放攻击等网络安全问题。
在实现上采用Web Service作为SOA的各组件间的公共的开发标准基础的实现框架。该系统使用XML、SOAP技术,通过票据传递,实现统一身份认证的功能,同时,系统易于集成,新的应用系统可以不带自己用户系统依靠统一认证系统实现对用户的认证和授权,降低了开发难度。随着统一身份认证系统的逐步完善,将在网络信息安全体系中发挥重要的作用,使网络管理更加简单有效。
With the development of the network and information technology, Enterprise’s informatization degree increased very fast. In the course of informatization, there emerges more and more application system, and improve the management and operating efficiency. But it increases the network resource, and makes it difficult to maintain the net order. It leads to all kinds of insecurity, and distributing system management lack of security policy and irregularity security strength.
Existing unified authentication that system utilizes directory service partly solves the problem of unified authentication. However, for its C/s mode based, the system is insufficiently in using and integrating. With emerge of Service Orient Architecture (SOA); it can lead to easy maintenance and development. It also can make business and IT more integrate with each other.
On the basis of the development of single sign on, the paper proposes a unify identity authentication system based on Serviced oriented architecture. This system can access all network resources on commission. Users are required to input their usernames and passwords once. As a valid user, he can access any application that uses the single sign on with the same user name and password. This system improves the efficiency of users and administrators, reduces expenses of the network operations, and makes the whole system more secure and convenient.
Once the user gets the authentication token, he can access the web application using the system. So it is undeniable that the security of the token, the trust of the application and the authentication server has become the subject matter influencing the system to implement. There are many secure problems of network, such as the man in the middle attack, reply attack.
We use web service as its developing foundation between components. This system uses XML, SOAP technology and implements identity authentication function using tickets transmitting. In additional, the system can be integrated easily. With the unify identity authentication system being gradual and perfect, it will play an important roe among the information security system of network, and network management will be simpler and effective.
现有的统一认证系统利用目录服务部分的解决了统一认证的问题,但是,由于其基于传统C/S模式的特点,在应用集成上存在不足。随着Web Service技术的发展和日渐广泛应用,其高度集成性、松散耦合和实现简单等特点使其在应用集成上发挥着重要的作用。随着面向服务的体系结构(SOA)的兴起,SOA更能提高应用程序易维护性和易开发性,更容易地使业务和IT紧密结合。
基于单点登录技术的发展,本文提出基于SOA框架的松耦合统一身份认证系统模型,该系统可对所有被授权的网络资源进行无缝访问。用户只需输入一次用户名和密码,通过身份认证并获取相应的权限,即可访问所有被授权的服务。不用面对不同的系统记住不同的用户名和密码,从而提高用户和管理员的工作效率,降低网络操作费用,并且不降低网络的安全性和操作的简便性。
统一身份认证系统中用户一旦通过身份验证,持有认证令牌即可访问所有被授权的服务。所以令牌的安全传输及各系统与认证服务器间的相互信任,不可否认地成了影响系统实现的主要问题。实现过程中主要存在着中间人攻击、重放攻击等网络安全问题。
在实现上采用Web Service作为SOA的各组件间的公共的开发标准基础的实现框架。该系统使用XML、SOAP技术,通过票据传递,实现统一身份认证的功能,同时,系统易于集成,新的应用系统可以不带自己用户系统依靠统一认证系统实现对用户的认证和授权,降低了开发难度。随着统一身份认证系统的逐步完善,将在网络信息安全体系中发挥重要的作用,使网络管理更加简单有效。
With the development of the network and information technology, Enterprise’s informatization degree increased very fast. In the course of informatization, there emerges more and more application system, and improve the management and operating efficiency. But it increases the network resource, and makes it difficult to maintain the net order. It leads to all kinds of insecurity, and distributing system management lack of security policy and irregularity security strength.
Existing unified authentication that system utilizes directory service partly solves the problem of unified authentication. However, for its C/s mode based, the system is insufficiently in using and integrating. With emerge of Service Orient Architecture (SOA); it can lead to easy maintenance and development. It also can make business and IT more integrate with each other.
On the basis of the development of single sign on, the paper proposes a unify identity authentication system based on Serviced oriented architecture. This system can access all network resources on commission. Users are required to input their usernames and passwords once. As a valid user, he can access any application that uses the single sign on with the same user name and password. This system improves the efficiency of users and administrators, reduces expenses of the network operations, and makes the whole system more secure and convenient.
Once the user gets the authentication token, he can access the web application using the system. So it is undeniable that the security of the token, the trust of the application and the authentication server has become the subject matter influencing the system to implement. There are many secure problems of network, such as the man in the middle attack, reply attack.
We use web service as its developing foundation between components. This system uses XML, SOAP technology and implements identity authentication function using tickets transmitting. In additional, the system can be integrated easily. With the unify identity authentication system being gradual and perfect, it will play an important roe among the information security system of network, and network management will be simpler and effective.
引文
[1] Eric Newcomer, Greg Lomow: Understanding SOA with Web Services. 2004
[2] 刘兰娟,张庆华. 信息安全工程理论与实践. 计算机应用研究. 2003 年第 4 期 85
[3] (美)Ed Titte, Mike Chapple, James Michael Stewaret. CISSP:认证信息系统安全专家全息教程. 电子工业出版社. 2006/10/1~19,174~273
[4] 康丽军. 基于时间的一次性口令认证的原理与实现[硕士学位论文]. http://www.cnki.net
[5] 郑少鹏. 统一身份认证系统:[硕士学位论文]. http://www.cnki.net
[6] 微软统一身份认证服务。http://www.msn.com
[7] Liberty Alliance Project Specification. http://www.projectliberty.org/specs/index.html
[8] 宋志强,陈怀楚等。校园网统一身份认证结构及基于此结构的应用漫游的实现。 计算机工程与应用。 2002 年第 38 卷第 20 期
[9] 闰新庆,李文锋,陈定方 Web 服务的体系结构和应用.武汉理工大学学报 2002 年 OS 期
[10] 柴晓路,梁羽奇.Web services 技术、架构与应用.电子工业出版社.2003.01.
[11] 王胜顺,金海.Web Services 身份认证与授权系统的研究与实践.南昌大学学报.2002 年 03期
[12] 李安逾.Web Services 技术与实现.国防工业出版社 2003.1
[13] 曾铮,吴明晖,应晶.简单对象访问协议 SOAP 综述.计算机应用研究.2002 年 02
[14] SOAP Version 1.2 Part 1: Messaging Framework.http://www.w3.org/TR/2002/CR-soap 12-partl-20021219/
[15] W3C Organization, Simple Object Access Protocol (SOAP) Version 1.2 [DB/OL]http: //www.w3.org/2000/xp/Group
[16] SOAP Version 1.2 Part 0: Primer.http://www.w3.org/TR/2002/CR-soap 12-part0-20021219/
[17] SOAP Version 1.2 Part 2: Adjuncts. http://www.w3.org/TR/2002/CR-soap 12-part2-20021219/
[18] Web Service Description Language (WSDL)1.0, http://www-106.ibm.com/developerworks/web/library/w-wsdl.html?dwzone=web
[19] Web Services Description Language (WSDL) Version 2.0 Part 1:Core Language, http://www.w3.org/TR/2006/CR-wsdl20-20060327/
[20] UDDI 技术白皮书.http://www.uddi-china.org/pubs/UDDI_ Technical 一 White_ Paper_ CN.pdf
[21] web Service Case Study: 统 一 身 份 认 证 服 务 . http://www-128.ibm.com/developerworks/cn/webservices/ws-casestudy/part4/
[22] (美)Mandy Andress.计算机安全原理. 机械工业出版社.2002.1
[23] IBM Corporation and Microsoft Corporation. “Security in a Web Services World: A Proposed Architecture and Roadmap——A joint security whitepaper from IBM Corporation and Microsoft Corporation” April 7, 2002, Version 1.0 at http://www-106.ibm.com/developerworks/library/ws-secmap/
[24] IBM Corporation and Microsoft Corporation. “Web Services Security: Moving up the stack -- New specifications improve the WS-Security model.” At http://www-106.ibm.com/developerworks/library/ws-secroad/#3
[25] (美)Ed Tittel,Mike Chapple, James Michael Stewaret. CISSP:认证信息系统安全专家全息教程.电子工业出版社.2003
[26] (美)Mandy Andress.计算机安全原理.杨涛,杨晓云,王建桥等译.机械工业 出版社.2002.1
[27] Bruce Schneier.Applied Cryptography: protocols, algorithms, and source code in C. Second Edition. China Machine Prss. 2000.01
[28] 石荣,李建华,柴凯.Internet 环境下密钥交换协议的安全机制研究.通信技术 2002.01
[29]柴晓路:WEB 服务架构与开放互操作技术。 2002
[30] 孙宝林,杨球,吴长海.RSA 公开密钥密码算法及其在信息交换中的应用.武汉交通科技大学学报.2000.02
[31] 郑宏云.Internet 的加密与认证技术.中国数据通讯网络.2000 年 07 期
[32] 徐志大,南相浩.Internet X.509 PKI 安全通信协议设计与证明.计算机工程与应用.2003年 1 期
[33] 李录章.基于 SSL 的目录服务的安全传输模型.福州大学学报(自然科学版). 2001 年 04 期
[34] 刘启新,蒋东兴,石暑,沈锡臣,网络应用系统统一口令认证的研究与实现, http://www.cic.tsinghua.edu.cn/sys/woxtkl.htm
[35] 田李,林卫明,鲁汉榕.一种新的一次性口令认证方案.武汉理工大学学报(交通科学与工程版). 2002 年 05 期
[36] 屈长青 PKI 技术与应用研究现代计算机 2002 年 02 期
[37] 李福芳,黄家林,黄烟波等.基于 PK/JSP 和 Servlet 的用户身份认证系统.微型机与应用.2002 年 10 期
[38] Thomas Grog. Security Analysis of the SAML Single Sign-on Browser/Artifact Profile.书室IEEE Proceedings of the I9th Annual Computer Security Applications Conference (ACSAC 2003), 2000, 1063-9527/03.
[39] Brigit Pfitzmann, Michael Waidner. Analysis of Liberty Single-Sign-on with Enabled Clients. IEEE INTERNET COMPITING. November/December 2003.
[40] 李晨,张礼平,杨富平.松散祸合分布式计算中的互操作.微型电脑应用.2002 年 01 期
[41] JAAS:灵活的 Java 安全机制.http://www.yesky.com/20030114/1648365.shtml
[42] The Open Group’s Single Sign-On page. http://www.opengroup.org/security/sso/.
[43] Santa Fe, New Mexico. Single Sign-On in In-VIGO, Role-Based Access via Delegation Mechanisms Using Short-Lived User Identities. l8 th International Parallel and Distributed Processing Symposium (IPDPS'04), Apr 2004.
[44] Andrej Volchkov. Revisiting Single Sign-On: A Pragmatic Approach in a New Context IEEE Computer Society. Jan/Feb 2001
[45] John T, Kohl, B. Clifford Neuman. The Kerberos Net Work Authentication Service: Version 5 Draft Protocol Specification, Revised Apr 1993.
[46] D. P. Kormann, A. D. Robin. Risks of the passport single sign on protocol. Networks, 2000, 33:51-58.
[47] 张世永.网络安全原理与应用.北京:科学出版社,2003: 23-57.
[48] B. Clifford Neuman. Proxy-Based Authorication and Accounting for Distributed Systems. In Proceedings of the 19th International Conference on Distributed Computing Systems, Mav 1993: 283-291.
[49] Elliotte Rusty Harold. XML 实用教程,北京:机械工业出版社,1999:89-132
[50] Scott Seely. SOAP:XML 跨平台 Web Service 开发技术.北京:机械工业出版社,2002: 34-54
[2] 刘兰娟,张庆华. 信息安全工程理论与实践. 计算机应用研究. 2003 年第 4 期 85
[3] (美)Ed Titte, Mike Chapple, James Michael Stewaret. CISSP:认证信息系统安全专家全息教程. 电子工业出版社. 2006/10/1~19,174~273
[4] 康丽军. 基于时间的一次性口令认证的原理与实现[硕士学位论文]. http://www.cnki.net
[5] 郑少鹏. 统一身份认证系统:[硕士学位论文]. http://www.cnki.net
[6] 微软统一身份认证服务。http://www.msn.com
[7] Liberty Alliance Project Specification. http://www.projectliberty.org/specs/index.html
[8] 宋志强,陈怀楚等。校园网统一身份认证结构及基于此结构的应用漫游的实现。 计算机工程与应用。 2002 年第 38 卷第 20 期
[9] 闰新庆,李文锋,陈定方 Web 服务的体系结构和应用.武汉理工大学学报 2002 年 OS 期
[10] 柴晓路,梁羽奇.Web services 技术、架构与应用.电子工业出版社.2003.01.
[11] 王胜顺,金海.Web Services 身份认证与授权系统的研究与实践.南昌大学学报.2002 年 03期
[12] 李安逾.Web Services 技术与实现.国防工业出版社 2003.1
[13] 曾铮,吴明晖,应晶.简单对象访问协议 SOAP 综述.计算机应用研究.2002 年 02
[14] SOAP Version 1.2 Part 1: Messaging Framework.http://www.w3.org/TR/2002/CR-soap 12-partl-20021219/
[15] W3C Organization, Simple Object Access Protocol (SOAP) Version 1.2 [DB/OL]http: //www.w3.org/2000/xp/Group
[16] SOAP Version 1.2 Part 0: Primer.http://www.w3.org/TR/2002/CR-soap 12-part0-20021219/
[17] SOAP Version 1.2 Part 2: Adjuncts. http://www.w3.org/TR/2002/CR-soap 12-part2-20021219/
[18] Web Service Description Language (WSDL)1.0, http://www-106.ibm.com/developerworks/web/library/w-wsdl.html?dwzone=web
[19] Web Services Description Language (WSDL) Version 2.0 Part 1:Core Language, http://www.w3.org/TR/2006/CR-wsdl20-20060327/
[20] UDDI 技术白皮书.http://www.uddi-china.org/pubs/UDDI_ Technical 一 White_ Paper_ CN.pdf
[21] web Service Case Study: 统 一 身 份 认 证 服 务 . http://www-128.ibm.com/developerworks/cn/webservices/ws-casestudy/part4/
[22] (美)Mandy Andress.计算机安全原理. 机械工业出版社.2002.1
[23] IBM Corporation and Microsoft Corporation. “Security in a Web Services World: A Proposed Architecture and Roadmap——A joint security whitepaper from IBM Corporation and Microsoft Corporation” April 7, 2002, Version 1.0 at http://www-106.ibm.com/developerworks/library/ws-secmap/
[24] IBM Corporation and Microsoft Corporation. “Web Services Security: Moving up the stack -- New specifications improve the WS-Security model.” At http://www-106.ibm.com/developerworks/library/ws-secroad/#3
[25] (美)Ed Tittel,Mike Chapple, James Michael Stewaret. CISSP:认证信息系统安全专家全息教程.电子工业出版社.2003
[26] (美)Mandy Andress.计算机安全原理.杨涛,杨晓云,王建桥等译.机械工业 出版社.2002.1
[27] Bruce Schneier.Applied Cryptography: protocols, algorithms, and source code in C. Second Edition. China Machine Prss. 2000.01
[28] 石荣,李建华,柴凯.Internet 环境下密钥交换协议的安全机制研究.通信技术 2002.01
[29]柴晓路:WEB 服务架构与开放互操作技术。 2002
[30] 孙宝林,杨球,吴长海.RSA 公开密钥密码算法及其在信息交换中的应用.武汉交通科技大学学报.2000.02
[31] 郑宏云.Internet 的加密与认证技术.中国数据通讯网络.2000 年 07 期
[32] 徐志大,南相浩.Internet X.509 PKI 安全通信协议设计与证明.计算机工程与应用.2003年 1 期
[33] 李录章.基于 SSL 的目录服务的安全传输模型.福州大学学报(自然科学版). 2001 年 04 期
[34] 刘启新,蒋东兴,石暑,沈锡臣,网络应用系统统一口令认证的研究与实现, http://www.cic.tsinghua.edu.cn/sys/woxtkl.htm
[35] 田李,林卫明,鲁汉榕.一种新的一次性口令认证方案.武汉理工大学学报(交通科学与工程版). 2002 年 05 期
[36] 屈长青 PKI 技术与应用研究现代计算机 2002 年 02 期
[37] 李福芳,黄家林,黄烟波等.基于 PK/JSP 和 Servlet 的用户身份认证系统.微型机与应用.2002 年 10 期
[38] Thomas Grog. Security Analysis of the SAML Single Sign-on Browser/Artifact Profile.书室IEEE Proceedings of the I9th Annual Computer Security Applications Conference (ACSAC 2003), 2000, 1063-9527/03.
[39] Brigit Pfitzmann, Michael Waidner. Analysis of Liberty Single-Sign-on with Enabled Clients. IEEE INTERNET COMPITING. November/December 2003.
[40] 李晨,张礼平,杨富平.松散祸合分布式计算中的互操作.微型电脑应用.2002 年 01 期
[41] JAAS:灵活的 Java 安全机制.http://www.yesky.com/20030114/1648365.shtml
[42] The Open Group’s Single Sign-On page. http://www.opengroup.org/security/sso/.
[43] Santa Fe, New Mexico. Single Sign-On in In-VIGO, Role-Based Access via Delegation Mechanisms Using Short-Lived User Identities. l8 th International Parallel and Distributed Processing Symposium (IPDPS'04), Apr 2004.
[44] Andrej Volchkov. Revisiting Single Sign-On: A Pragmatic Approach in a New Context IEEE Computer Society. Jan/Feb 2001
[45] John T, Kohl, B. Clifford Neuman. The Kerberos Net Work Authentication Service: Version 5 Draft Protocol Specification, Revised Apr 1993.
[46] D. P. Kormann, A. D. Robin. Risks of the passport single sign on protocol. Networks, 2000, 33:51-58.
[47] 张世永.网络安全原理与应用.北京:科学出版社,2003: 23-57.
[48] B. Clifford Neuman. Proxy-Based Authorication and Accounting for Distributed Systems. In Proceedings of the 19th International Conference on Distributed Computing Systems, Mav 1993: 283-291.
[49] Elliotte Rusty Harold. XML 实用教程,北京:机械工业出版社,1999:89-132
[50] Scott Seely. SOAP:XML 跨平台 Web Service 开发技术.北京:机械工业出版社,2002: 34-54