基于门户访问的角色划分与授权规则定制方法研究
|
摘要
校园门户作为数字化校园的窗口,以浏览器的方式向校园用户展现数字化校园的各种应用信息。它能有效地整合各类校园应用之间的缝隙,集成各种结构化和非结构化的信息资源,为用户提供统一的资源入口、整体的安全机制及统一的用户管理,从而根据每个用户角色、权限的差异,提供个性化的服务。因此,在校园门户的建设中,用户管理和访问权限控制是门户建设的一个重要的技术基础。本课题作为学校数字化校园建设背景下的一个基础研究子项目,其研究目的及意义在于:基于LDAP目录服务,实现统一的用户身份管理;引入角色概念,探索研究一种符合门户访问需求的基于角色的访问控制系统;为数字化的校园提供良好的信息管理服务,推动校园各应用系统的协同工作和资源共享。
本文首先针对当前流行的几种访问控制模型和LDAP目录服务技术进行了分析研究。在此基础上,通过分析门户建设中的访问控制需求和目标,提出了一种扩展的基于角色的访问控制模型。该模型从学校机构组织特点出发,引入“岗位”和“任务”概念,加入对用户属性和客体属性特征、安全级别的考虑,实现了灵活安全的访问控制。
其次,以扩展的访问控制模型为基础,结合Oracle目录服务技术,提出了一套符合门户需求的统一身份认证方案和访问控制授权方案。
最后,从实现的角度,通过对Oracle AS Portal体系结构及其相关技术的分析研究,实现了基于Struts应用的Portlet的开发和门户整合。
As the window of digital campus, Campus Portal shows a variety of applications to the campus users in the way of Browser. It can eliminate the gap of the applications, and integrate structured and unstructured resources effectively. It also provides the unified entrance for the resources, holistic security mechanisms and uniform management for the users. Then it provides personalized service according to the difference of user roles and permissions. Therefore, during the construction of the Campus Portal, user management and permission access will be the important technical elements. As a sub-project of the basic research under the background of the digital campus construction, the purpose and significance of this dissertation is to realize unified user identity management on the base of LDAP directory service; to explore a Access Control System which is based on the roles by the introducing the concept of the role; to provide good information management services for the digital campus; to promote the cooperation and resources communion of the campus applications.
Firstly, this dissertation analyzes several access control models which are popular currently, and does research for LDAP directory service thechnology. On this basis, by analyzing the requirements and targets of the access control which will be faced during Portal construction, an extended role based access control model is proposed. Starting from the characteristic of the school organizations, the concept of the quarter and task are brought in the new model. Moreover, users' attributes and objects'characteristic are taken under advisement in the new model. In a word the new model is implemented as a flexible and secure access control model.
Secondly, basing on the extended access control model and Oracle directory service technology, the solution for uniform identity authentication and access control authorization is proposed in this dissertation.
Finally, from the viewpoint of realization, this dissertation analyzes and researchs the Oracle AS Portal architecture and related technology. In the end, a Struts application based portlet is implemented, and this portlet is integrated with Portal.
本文首先针对当前流行的几种访问控制模型和LDAP目录服务技术进行了分析研究。在此基础上,通过分析门户建设中的访问控制需求和目标,提出了一种扩展的基于角色的访问控制模型。该模型从学校机构组织特点出发,引入“岗位”和“任务”概念,加入对用户属性和客体属性特征、安全级别的考虑,实现了灵活安全的访问控制。
其次,以扩展的访问控制模型为基础,结合Oracle目录服务技术,提出了一套符合门户需求的统一身份认证方案和访问控制授权方案。
最后,从实现的角度,通过对Oracle AS Portal体系结构及其相关技术的分析研究,实现了基于Struts应用的Portlet的开发和门户整合。
As the window of digital campus, Campus Portal shows a variety of applications to the campus users in the way of Browser. It can eliminate the gap of the applications, and integrate structured and unstructured resources effectively. It also provides the unified entrance for the resources, holistic security mechanisms and uniform management for the users. Then it provides personalized service according to the difference of user roles and permissions. Therefore, during the construction of the Campus Portal, user management and permission access will be the important technical elements. As a sub-project of the basic research under the background of the digital campus construction, the purpose and significance of this dissertation is to realize unified user identity management on the base of LDAP directory service; to explore a Access Control System which is based on the roles by the introducing the concept of the role; to provide good information management services for the digital campus; to promote the cooperation and resources communion of the campus applications.
Firstly, this dissertation analyzes several access control models which are popular currently, and does research for LDAP directory service thechnology. On this basis, by analyzing the requirements and targets of the access control which will be faced during Portal construction, an extended role based access control model is proposed. Starting from the characteristic of the school organizations, the concept of the quarter and task are brought in the new model. Moreover, users' attributes and objects'characteristic are taken under advisement in the new model. In a word the new model is implemented as a flexible and secure access control model.
Secondly, basing on the extended access control model and Oracle directory service technology, the solution for uniform identity authentication and access control authorization is proposed in this dissertation.
Finally, from the viewpoint of realization, this dissertation analyzes and researchs the Oracle AS Portal architecture and related technology. In the end, a Struts application based portlet is implemented, and this portlet is integrated with Portal.
引文
[1] 杨义先.网络信息安全与保密.北京:邮电大学出版社,1999.39—49
[2] 李伟琴,杨亚平.基于角色的访问控制系统.电子工程师,2000,2:16~21
[3] 刘怀宁,李伟琴.浅谈访问控制技术.电子展望与决策,1999,1:42—46
[4] M.A.Harrison,M.L.Ruzzo,J.D.Unman.Protection in Operating Systems.Communications of the ACM,1976,19(8):461~471
[5] 邵佩英,孙淑玲.基于传统DBMS的强制访问控制安全功能的设计与实现.计算机工程与应用,1999,8:58~60
[6] 张晓群,董丽丽.角色访问控制模型的研究及应用.计算机技术与发展,2007,17(2):42-45
[7] National Institute of Standard Technology. http://csrc.nist.gov/rbac
[8] Laboratory of Information Security Technology. http://www.list.emu.edu/
[9] John F Barkley. Role Based Access Control for the World Wide Web [Z]. ACM, 1997
[10] DOD STD. Department of Defense Trusted Computer System Evaluation Criteria. Washington DC: Department of Defense, 1983.1~116
[11] 张春,赵战生.基于角色的访问控制模型分析何海云.计算机工程,1999,8:39~44
[12] Ravi S.Sandhu. Role-Based Access Control [Z]. ACM, 1997
[13] Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.. Role-Based Access Control Models. 1EEE Computer, 1996, 29(2): 38~47
[14] Ferraiolo D, Kuhn R. Role-Based Access Control. Proceeding of the 15th KIST-NCSC National Computer Security Conference, 1992.554~563
[15] Ravi Sandhu, David Ferraiolo, Richard Kuhn. The NIST Model for Role-Based Access Control: Towards A Unified Standard. ACM, 2000.47-63
[16] Moyer M J, Ahamad M.Generalized Role-based Access Control. IEEE Computer, 2001, 24(5): 1063~6927
[17] Johnston W, Mudumbai S, Thompson M. Authorization and Attribute Certificates for Widely Distributed Access Control. IEEE Computer, 1998, 23(4): 607~613
[18] Roshan K, Sandhu R S. Conceptual Foundations for A Model of Task-Based Authorizations. IEEE Computer Security Foundations Workshop (CSFW), 1994
[19] Thomas RK, Sandhu RS. Towards A Task-Based Paradigm for Flexible and Adaptable Access Control in Distributed Applications. In Proceedings of the 1992-1993 ACM SIGSAC New Security Paradigms Workshops, 1993.138~142.
[20] Thomas RK, Sandhu RS. Task-Based Authorization: A Research Project in Next-Generation Active Security Models for Workflows. In: NSF Workshop on Workflow and Process Automation in Information Systems: State-of-the-Art and Future Directions. 1996
[21] Roshan Thomas, Ravi Sandhu. Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management, Database Security Ⅺ: Status and Prospects. Chapman&Hall, 1998
[22] T.Howes. The String Representation of LDAP Search Filters. RFC 2254, 1997
[23] Authentication Methods for LDAP. RFC2829
[24] J. Myers. Simple Authentication Security Layer (SASL). RFC 2222, 1997
[25] M. Wahl. Authentication Methods for LDAP. RFC 2829, 2000
[26] 徐家俊,贾文玉.企业信息门户.北京:机械工业出版社,2004
[27] 张辉,杨岳湘,汪诗林.数字校园中基于LDAP的统一用户身份管理技术研究.计算机工程与科学,2005,27(1):14~16
[28] Oracle Application Server 10G Concepts [EB/OL]. Oracle 网站, 2005
[29] Oralce AS Portall0g(9.0.4)技术概述. Oralce 白皮书
[30] Peter Lubbers. Oracle Application Server Portal Configuration Guide, 10g Release 2 (10.1.2). B14037-03
[31] Vinaye Misra. Oracle Application Server Single Sign-On Administrator's Guide, 10g Release 2 (10.1.2). B14078-02
[32] 俞之杭,许飞.“数字化校园”的基础核心—身份认证平台的设计.华东交通大学学报,2004,4:100~101
[33] 郭代飞,杨义先等.数字身份认证技术的现状与发展.计算机安全,2003,7:1~3
[34] (美)范迪维尔,(美)考克斯著;尹志军等译.Oracle9i Application Server Portal手册.北京:机械工业出版社,2002,6:356~357
[35] Joan Carter, Tugdual Grail. Oracle Application Server Portal Developer's Guide 10g release2 (10.1.2). http://huihoo.com/oracle/docs/B14099_19/portal.1012/b14134.pdf, 2005
[36] 徐碧云,王志坚,张少柏.企业信息门户关键技术研究.计算机应用研究,2005.142~144
[37] OASIS: Web Services for Remote Portlets Specification. http://www.oasis-open.org/committees/download.php/3343/oasis-200304-wsrp-specificati0n-1.0.pdf
[38] 黄丹霞,杨璐,崔永普.在J2EE项目中使用Struts对MVC模式的研究与实现.计算机工程与设计,2005,26(9):2488~2490
[39] Oracle Application Server PDK for Java 9.0.4.0.2 2003. http://www.oracle.com/technology/products/ias/portal/html/javadoc/apidoc/index.html
[40] PDK-Java XML Provider Definition Tag Reference. 2003. http://www.oracle.com/technology/products/ias/portal/html/javadoc/xml_tag_reference_v2.html
[2] 李伟琴,杨亚平.基于角色的访问控制系统.电子工程师,2000,2:16~21
[3] 刘怀宁,李伟琴.浅谈访问控制技术.电子展望与决策,1999,1:42—46
[4] M.A.Harrison,M.L.Ruzzo,J.D.Unman.Protection in Operating Systems.Communications of the ACM,1976,19(8):461~471
[5] 邵佩英,孙淑玲.基于传统DBMS的强制访问控制安全功能的设计与实现.计算机工程与应用,1999,8:58~60
[6] 张晓群,董丽丽.角色访问控制模型的研究及应用.计算机技术与发展,2007,17(2):42-45
[7] National Institute of Standard Technology. http://csrc.nist.gov/rbac
[8] Laboratory of Information Security Technology. http://www.list.emu.edu/
[9] John F Barkley. Role Based Access Control for the World Wide Web [Z]. ACM, 1997
[10] DOD STD. Department of Defense Trusted Computer System Evaluation Criteria. Washington DC: Department of Defense, 1983.1~116
[11] 张春,赵战生.基于角色的访问控制模型分析何海云.计算机工程,1999,8:39~44
[12] Ravi S.Sandhu. Role-Based Access Control [Z]. ACM, 1997
[13] Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.. Role-Based Access Control Models. 1EEE Computer, 1996, 29(2): 38~47
[14] Ferraiolo D, Kuhn R. Role-Based Access Control. Proceeding of the 15th KIST-NCSC National Computer Security Conference, 1992.554~563
[15] Ravi Sandhu, David Ferraiolo, Richard Kuhn. The NIST Model for Role-Based Access Control: Towards A Unified Standard. ACM, 2000.47-63
[16] Moyer M J, Ahamad M.Generalized Role-based Access Control. IEEE Computer, 2001, 24(5): 1063~6927
[17] Johnston W, Mudumbai S, Thompson M. Authorization and Attribute Certificates for Widely Distributed Access Control. IEEE Computer, 1998, 23(4): 607~613
[18] Roshan K, Sandhu R S. Conceptual Foundations for A Model of Task-Based Authorizations. IEEE Computer Security Foundations Workshop (CSFW), 1994
[19] Thomas RK, Sandhu RS. Towards A Task-Based Paradigm for Flexible and Adaptable Access Control in Distributed Applications. In Proceedings of the 1992-1993 ACM SIGSAC New Security Paradigms Workshops, 1993.138~142.
[20] Thomas RK, Sandhu RS. Task-Based Authorization: A Research Project in Next-Generation Active Security Models for Workflows. In: NSF Workshop on Workflow and Process Automation in Information Systems: State-of-the-Art and Future Directions. 1996
[21] Roshan Thomas, Ravi Sandhu. Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management, Database Security Ⅺ: Status and Prospects. Chapman&Hall, 1998
[22] T.Howes. The String Representation of LDAP Search Filters. RFC 2254, 1997
[23] Authentication Methods for LDAP. RFC2829
[24] J. Myers. Simple Authentication Security Layer (SASL). RFC 2222, 1997
[25] M. Wahl. Authentication Methods for LDAP. RFC 2829, 2000
[26] 徐家俊,贾文玉.企业信息门户.北京:机械工业出版社,2004
[27] 张辉,杨岳湘,汪诗林.数字校园中基于LDAP的统一用户身份管理技术研究.计算机工程与科学,2005,27(1):14~16
[28] Oracle Application Server 10G Concepts [EB/OL]. Oracle 网站, 2005
[29] Oralce AS Portall0g(9.0.4)技术概述. Oralce 白皮书
[30] Peter Lubbers. Oracle Application Server Portal Configuration Guide, 10g Release 2 (10.1.2). B14037-03
[31] Vinaye Misra. Oracle Application Server Single Sign-On Administrator's Guide, 10g Release 2 (10.1.2). B14078-02
[32] 俞之杭,许飞.“数字化校园”的基础核心—身份认证平台的设计.华东交通大学学报,2004,4:100~101
[33] 郭代飞,杨义先等.数字身份认证技术的现状与发展.计算机安全,2003,7:1~3
[34] (美)范迪维尔,(美)考克斯著;尹志军等译.Oracle9i Application Server Portal手册.北京:机械工业出版社,2002,6:356~357
[35] Joan Carter, Tugdual Grail. Oracle Application Server Portal Developer's Guide 10g release2 (10.1.2). http://huihoo.com/oracle/docs/B14099_19/portal.1012/b14134.pdf, 2005
[36] 徐碧云,王志坚,张少柏.企业信息门户关键技术研究.计算机应用研究,2005.142~144
[37] OASIS: Web Services for Remote Portlets Specification. http://www.oasis-open.org/committees/download.php/3343/oasis-200304-wsrp-specificati0n-1.0.pdf
[38] 黄丹霞,杨璐,崔永普.在J2EE项目中使用Struts对MVC模式的研究与实现.计算机工程与设计,2005,26(9):2488~2490
[39] Oracle Application Server PDK for Java 9.0.4.0.2 2003. http://www.oracle.com/technology/products/ias/portal/html/javadoc/apidoc/index.html
[40] PDK-Java XML Provider Definition Tag Reference. 2003. http://www.oracle.com/technology/products/ias/portal/html/javadoc/xml_tag_reference_v2.html