长治网通MIS的访问控制研究与系统实现
|
摘要
随着计算机技术、通信技术和网络技术的飞速发展,大多数企业都希望通过自身的信息化建设来提高企业竞争力、降低经营成本、提高企业决策的效率。然而网络应用的安全性问题成为制约其发展的主要因素,在管理大量的网络系统时,安全管理的复杂性是个很具挑战性的问题。当前最为流行的访问控制技术作为网络安全防范和保护的主要策略,已经渗透到操作系统、数据库、网络的各个方面。而基于角色的访问控制(RBAC)模型作为主流的访问控制模型,与传统的自主访问控制和强制访问控制相比,具有更高的灵活性和扩展性。
本文针对长治市网通集团管理信息系统的设计与实现,首先比较分析访问控制三种主流技术:自主访问控制、强制访问控制、基于角色的访问控制,着重研究了RBAC模型。并根据MIS的业务需求引入了分组、岗位的感念,扩充了基于角色访问控制模型,称之为GSRBAC╱Web模型(Group and Station Role-Based ControlModel)。为了加强业务上的管理引入了分组和岗位的概念,简化授权的复杂性。在GSRBAC/Web模型的基础上,设计其各项功能组件,并采用新模型对Acegi安全系统进行扩展,使其成为GSRBAC/Web模型的具体实现。同时为了加强系统的协同工作理念,采用OSWorkflow工作流引擎对系统中的需要数据流转的功能进行设计和实现。分别从系统建模、访问控制方案的设计、OSWorkflow工作流技术、功能模块设计和实现等方面详细介绍了长治市网通集团管理信息系统开发的过程。
With the development of the computer, communication and network, most of the Enterprises want to enhance competitiveness, reduce operating costs and improve the efficiency of decision-making by Information Construction. But the security of network application has become one of main factors that restrict its development; Security management is very challenging for its complexity in the administration of many network systems. Access control, as an important security technology, has been applied in the operation system, the database management systems, security management and network operating system etc. Role-Based Access Control (RBAC) Model is nowadays the best and most popular access control model. Compared with traditional discretionary and mandatory access control, it can provide better flexibility and expandability.
The paper aims at the design and implementation of Changzhi Netcom MIS, First, the paper compares and analyzes the advantages and disadvantages of the three main technologies of access control: DAC, MAC, RBAC. Then the paper specializes in the role-based access control model, and introduces the concepts of group and station according to business needs of Changzhi Netcom MIS. The enlarged role-based access control is called GSRBAC/Web Model (Group and Station Role-Based Control / Web Model). To enhance Business Management and simplify the complexity of Authorization, We introduce the concept of group and station. Design every functional component and make use of the model to expand Acegi Security System on the basis of GSRBAC/Web Model. Second, use the OSWorkflow workflow engine in the MIS, in order to strength its teamwork concept. Describe development process of Changzhi Netcom MIS in detail from system modeling, access control, OSWorkflow workflow technology and the functional module.
本文针对长治市网通集团管理信息系统的设计与实现,首先比较分析访问控制三种主流技术:自主访问控制、强制访问控制、基于角色的访问控制,着重研究了RBAC模型。并根据MIS的业务需求引入了分组、岗位的感念,扩充了基于角色访问控制模型,称之为GSRBAC╱Web模型(Group and Station Role-Based ControlModel)。为了加强业务上的管理引入了分组和岗位的概念,简化授权的复杂性。在GSRBAC/Web模型的基础上,设计其各项功能组件,并采用新模型对Acegi安全系统进行扩展,使其成为GSRBAC/Web模型的具体实现。同时为了加强系统的协同工作理念,采用OSWorkflow工作流引擎对系统中的需要数据流转的功能进行设计和实现。分别从系统建模、访问控制方案的设计、OSWorkflow工作流技术、功能模块设计和实现等方面详细介绍了长治市网通集团管理信息系统开发的过程。
With the development of the computer, communication and network, most of the Enterprises want to enhance competitiveness, reduce operating costs and improve the efficiency of decision-making by Information Construction. But the security of network application has become one of main factors that restrict its development; Security management is very challenging for its complexity in the administration of many network systems. Access control, as an important security technology, has been applied in the operation system, the database management systems, security management and network operating system etc. Role-Based Access Control (RBAC) Model is nowadays the best and most popular access control model. Compared with traditional discretionary and mandatory access control, it can provide better flexibility and expandability.
The paper aims at the design and implementation of Changzhi Netcom MIS, First, the paper compares and analyzes the advantages and disadvantages of the three main technologies of access control: DAC, MAC, RBAC. Then the paper specializes in the role-based access control model, and introduces the concepts of group and station according to business needs of Changzhi Netcom MIS. The enlarged role-based access control is called GSRBAC/Web Model (Group and Station Role-Based Control / Web Model). To enhance Business Management and simplify the complexity of Authorization, We introduce the concept of group and station. Design every functional component and make use of the model to expand Acegi Security System on the basis of GSRBAC/Web Model. Second, use the OSWorkflow workflow engine in the MIS, in order to strength its teamwork concept. Describe development process of Changzhi Netcom MIS in detail from system modeling, access control, OSWorkflow workflow technology and the functional module.
引文
[1]赵亮,茅兵,谢立.访问控制研究综述.计算机工程.2004.30(2).1-2
[2]刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统.2004.25(1).56-59
[3]Sue Spielman,Meeraj Kunnumpurath.J2EE1.4编程指南.北京.电子工业出版社.2005.1-15
[4]John Deacon.Model-View-Controller(MVC)Architecture.http://www.jdl.co.uk/briefings/mvc.pdf.2000
[5]Steve Burbeck.Application Programming in Smalltalk-80(TM):How to use Model-View-Controller(MVC).http://st-www.cs.uiuc.edu/users/smarch/st-docs/mvc.html
[6]Ferraiolo D,Sandhu R S,Gavrila S,Kuhn R,Chandramouli R.Proposed NIST Standard for Role-Based Access Control.ACM Transaction on Information and System Security.2001.4(3).224-274
[7]Nyanchama M,Osbom S.Access Rights Administration in Role-Based Security Systems.In IFIP WG 11.3 Database Security.1994.37-56
[8]Sandhu R S,Coyne E J,Feinstein H L,Youman C E.Role-Based Access Control Models.IEEE Computer.1996.29(2).38-47
[9]Bilal Siddiqui.Securing Java applications with Acegi.http://www.ibm.com/developerworks /java/library/j-acegil
[10]Craig Walls,RyanBreidenbach.李磊,程立,周悦虹.Spring in Action中文版.北京.人民邮电出版社.2006
[11]Wil van der Aalst,Kees van Hee.王建民,闻立杰.工作流管理—模型方法和系统.北京.清华大学出版社.2004
[12]曾月,范玉顺.工作流管理系统Web客户端的设计与实现.计算机工程与应用.2002
[13]陈刚.OSWorkflow开发指南.http://www.redsaga.com/opendoc/OSWorkflow-Opendoc.pdf
[14]陈刚.OSWorkflow中文手册.http://www.redsaga.com/opendoc/OSWorkflow-chinese-manual-2.8.pdf
[15]http://space.goiee.com/html/83/t-91683.html
[16]New Draft RBAC Implementation Standard.http://csrc.nist.gov/rbac.2006.1
[17]罗雪平,郑奕莉,徐国定.一种扩展的基于角色的访问控制模型.计算机工程.2001.27(6).116-117
[18]查义国,徐小岩,张毓森.在Web上实现基于角色的访问控制.计算机研究与发展.2002.39(3).257-263
[19]吴海山.基于Spring框架的角色权限控制系统的设计与实现.大连.大连理工大学.2007
[20]周福才,李金双,曹光辉.基于MIS系统访问控制模型的研究.小型微型计算机系统.2004.25(9).1691-1695
[21]刘宏月.访问控制技术研究发展.小型微型计算机系统.2004.25(1).56-59
[22]杜艳锋,林作铨.一个基于角色的Web安全访问控制系统.计算机研究与发展.2003.40(8).1186-1194
[23]洪帆,吴敏.分布式环境下基于角色的访问控制层次模型.华中科技大学学报(自然科学 版).2003.31(5).9-10
[24]WfMC.Terminology & Glossary-A Workflow Management Coalition Specification.Workflow Management Coalition.1999
[25]马可阳.基于开源工作流引擎OSWorkflow的电子政务系统的研究与实现.北京.北京邮电大学.2007
[26]LioeM,WikarskiD,HanY.Higher-Order Object Net sand Their Application to Workflow Modeling[Z].Forschungs-berichtedesFBInformatik95-34.TechnischeUniversity atBerlin.1995
[27]沈军营.虚拟企业中的工作流管理技术的研究.计算机集成制造系统.2000.2
[28]曾炜,阎保平.工作流模型研究综述.计算机应用研究.2005.5.11-13
[29]蒋国银,董利红.工作流过程建模理论综述.计算机系统应用.2006.3.90-93
[2]刘宏月,范九伦,马建峰.访问控制技术研究进展.小型微型计算机系统.2004.25(1).56-59
[3]Sue Spielman,Meeraj Kunnumpurath.J2EE1.4编程指南.北京.电子工业出版社.2005.1-15
[4]John Deacon.Model-View-Controller(MVC)Architecture.http://www.jdl.co.uk/briefings/mvc.pdf.2000
[5]Steve Burbeck.Application Programming in Smalltalk-80(TM):How to use Model-View-Controller(MVC).http://st-www.cs.uiuc.edu/users/smarch/st-docs/mvc.html
[6]Ferraiolo D,Sandhu R S,Gavrila S,Kuhn R,Chandramouli R.Proposed NIST Standard for Role-Based Access Control.ACM Transaction on Information and System Security.2001.4(3).224-274
[7]Nyanchama M,Osbom S.Access Rights Administration in Role-Based Security Systems.In IFIP WG 11.3 Database Security.1994.37-56
[8]Sandhu R S,Coyne E J,Feinstein H L,Youman C E.Role-Based Access Control Models.IEEE Computer.1996.29(2).38-47
[9]Bilal Siddiqui.Securing Java applications with Acegi.http://www.ibm.com/developerworks /java/library/j-acegil
[10]Craig Walls,RyanBreidenbach.李磊,程立,周悦虹.Spring in Action中文版.北京.人民邮电出版社.2006
[11]Wil van der Aalst,Kees van Hee.王建民,闻立杰.工作流管理—模型方法和系统.北京.清华大学出版社.2004
[12]曾月,范玉顺.工作流管理系统Web客户端的设计与实现.计算机工程与应用.2002
[13]陈刚.OSWorkflow开发指南.http://www.redsaga.com/opendoc/OSWorkflow-Opendoc.pdf
[14]陈刚.OSWorkflow中文手册.http://www.redsaga.com/opendoc/OSWorkflow-chinese-manual-2.8.pdf
[15]http://space.goiee.com/html/83/t-91683.html
[16]New Draft RBAC Implementation Standard.http://csrc.nist.gov/rbac.2006.1
[17]罗雪平,郑奕莉,徐国定.一种扩展的基于角色的访问控制模型.计算机工程.2001.27(6).116-117
[18]查义国,徐小岩,张毓森.在Web上实现基于角色的访问控制.计算机研究与发展.2002.39(3).257-263
[19]吴海山.基于Spring框架的角色权限控制系统的设计与实现.大连.大连理工大学.2007
[20]周福才,李金双,曹光辉.基于MIS系统访问控制模型的研究.小型微型计算机系统.2004.25(9).1691-1695
[21]刘宏月.访问控制技术研究发展.小型微型计算机系统.2004.25(1).56-59
[22]杜艳锋,林作铨.一个基于角色的Web安全访问控制系统.计算机研究与发展.2003.40(8).1186-1194
[23]洪帆,吴敏.分布式环境下基于角色的访问控制层次模型.华中科技大学学报(自然科学 版).2003.31(5).9-10
[24]WfMC.Terminology & Glossary-A Workflow Management Coalition Specification.Workflow Management Coalition.1999
[25]马可阳.基于开源工作流引擎OSWorkflow的电子政务系统的研究与实现.北京.北京邮电大学.2007
[26]LioeM,WikarskiD,HanY.Higher-Order Object Net sand Their Application to Workflow Modeling[Z].Forschungs-berichtedesFBInformatik95-34.TechnischeUniversity atBerlin.1995
[27]沈军营.虚拟企业中的工作流管理技术的研究.计算机集成制造系统.2000.2
[28]曾炜,阎保平.工作流模型研究综述.计算机应用研究.2005.5.11-13
[29]蒋国银,董利红.工作流过程建模理论综述.计算机系统应用.2006.3.90-93