基于UCON的Web Services访问控制的研究
摘要
随着信息技术的发展,基于Internet的应用系统在各个领域、各个行业中的应用已经非常普遍。SOA是目前最流行的话题之一。它是电子商务中的一项重要的架构技术。这种技术可以使电子商务平台对相应的服务进行安全控制和服务状态监控。由于可以实现跨平台的软件服务的整合,解放软件服务的传输协议的限制,Web Services成为了SOA的首选技术。
Web Services具有适合异构系统、易于开发和部署、易于发现和调用等优势,因此它近些年非常流行并被广泛的应用。Web Services安全问题由于其在电子商务中的应用而变得非常重要,其中的一个重要部分就是访问控制。一个完善的访问控制策略是保证Web Services安全的重要因素之一。
本文主要研究了Web Services体系的访问控制问题。首先,对Web Services体系的特点以及对访问控制的要求进行了分析,并对传统的访问控制模型如DAC、RBAC模型的优缺点和Web Services的访问控制要求做了比较。其次,对新一代的访问控制概念模型UCON做了研究,对UCON模型中的核心模型ABC模型进行了详细分析,并在UCON概念模型的基础上结合传统访问控制模型的优点和Web Services体系对访问控制的需求,建立了适合于Web Services的访问控制模型。接下来本文通过对理论的分析和研究,通过建立的访问控制模型设计相应的访问控制系统模块。本文的访问控制系统分为认证和授权两个主要部分。认证部分主要采用SRP安全协议实现,授权部分主要利用UCON模型的核心模型ABC模型的思想来设计和实现。本模型主要采用Java技术来实现Web Services的访问控制,采用xfire作为SOAP引擎对SOAP消息进行控制。
本文最后对研究和实验的结果作了分析总结,指出了本访问控制模型的优点,同时说明了模型的不足之处和需改进的方面,并提出今后的研究重点和需要继续完成的工作。
With the development of information technology, the application of application system based internet is very prevalent in every field and industry. SOA is a very popular topic now. It is an important framing technology of Electronic Commerce. Using this technology, an E-commerce platform could control the services in security and listen their state. Web Services can achieve the union of software services without platform limit and make the software services can't be restricted by transmission protocol. In this condition, Web Services becomes the first choice in SOA.
Web Services has the following benefits including suitable to integrate completely different computing systems, fast and cheap to develop and easy to deploy, so it becomes very popular and widely used in many fields in these years. The security of Web Services becomes very important because of its application in E-commerce. One important part of it is access control. A good access control method is one of the important factors to protect Web Services in security.
This paper discusses the access control of Web Services. First, it analyzes the characteristics of Web Services, the request of its access control, and compare it with traditional access control models such as DAC and RBAC. Second, it researches the UCON access control model, which is the new generation access control model, and builds a Web Services access control model based on the idea of UCON and the merits of the traditional access control models according to the requirement of the Web Services access control. Then, we design the Web Services access control system module based on this access control model. The access control module has two modules, authentication module and authorization module. The authentication module uses SRP protocol to achieve, and the authorization module uses ABC model to design and achieve. We use Java to achieve the model and use xfire, which is a popular SOAP engine, to control the SOAP message.
At last, this paper analyzes and summarizes the result, points out the advantages and the shortage of the access control model, and show what we should do next step.
Web Services具有适合异构系统、易于开发和部署、易于发现和调用等优势,因此它近些年非常流行并被广泛的应用。Web Services安全问题由于其在电子商务中的应用而变得非常重要,其中的一个重要部分就是访问控制。一个完善的访问控制策略是保证Web Services安全的重要因素之一。
本文主要研究了Web Services体系的访问控制问题。首先,对Web Services体系的特点以及对访问控制的要求进行了分析,并对传统的访问控制模型如DAC、RBAC模型的优缺点和Web Services的访问控制要求做了比较。其次,对新一代的访问控制概念模型UCON做了研究,对UCON模型中的核心模型ABC模型进行了详细分析,并在UCON概念模型的基础上结合传统访问控制模型的优点和Web Services体系对访问控制的需求,建立了适合于Web Services的访问控制模型。接下来本文通过对理论的分析和研究,通过建立的访问控制模型设计相应的访问控制系统模块。本文的访问控制系统分为认证和授权两个主要部分。认证部分主要采用SRP安全协议实现,授权部分主要利用UCON模型的核心模型ABC模型的思想来设计和实现。本模型主要采用Java技术来实现Web Services的访问控制,采用xfire作为SOAP引擎对SOAP消息进行控制。
本文最后对研究和实验的结果作了分析总结,指出了本访问控制模型的优点,同时说明了模型的不足之处和需改进的方面,并提出今后的研究重点和需要继续完成的工作。
With the development of information technology, the application of application system based internet is very prevalent in every field and industry. SOA is a very popular topic now. It is an important framing technology of Electronic Commerce. Using this technology, an E-commerce platform could control the services in security and listen their state. Web Services can achieve the union of software services without platform limit and make the software services can't be restricted by transmission protocol. In this condition, Web Services becomes the first choice in SOA.
Web Services has the following benefits including suitable to integrate completely different computing systems, fast and cheap to develop and easy to deploy, so it becomes very popular and widely used in many fields in these years. The security of Web Services becomes very important because of its application in E-commerce. One important part of it is access control. A good access control method is one of the important factors to protect Web Services in security.
This paper discusses the access control of Web Services. First, it analyzes the characteristics of Web Services, the request of its access control, and compare it with traditional access control models such as DAC and RBAC. Second, it researches the UCON access control model, which is the new generation access control model, and builds a Web Services access control model based on the idea of UCON and the merits of the traditional access control models according to the requirement of the Web Services access control. Then, we design the Web Services access control system module based on this access control model. The access control module has two modules, authentication module and authorization module. The authentication module uses SRP protocol to achieve, and the authorization module uses ABC model to design and achieve. We use Java to achieve the model and use xfire, which is a popular SOAP engine, to control the SOAP message.
At last, this paper analyzes and summarizes the result, points out the advantages and the shortage of the access control model, and show what we should do next step.
引文
[1]Christopher Steel,Ramesh Nagappan,Ray Lai.Core Security Patterns.北京:机械工业出版社,2006.6
[2]Chriatian Emig,Frank Brandt,Sebastian Abeck.A Access Control Metamodel for WebServices-OrientedArchitecture.Software Engineering Advances,2007.ICSEA 2007
[3]R Sandhu,E Coyne,H Feinstein.Role-based Access Control Models[J].IEEE Computer,1996,29(6):38247
[4]Jaehong Park,Ravi Sandhu.Originator Control in Usage Control.3~(rd)International Workshop on Policies for Dsitributed Systems and NetWorks,2002.6:05-07
[5]沈海波,洪帆.访问控制模型研究综述.计算机应用研究,2005.6:9-11
[6]Jaehong Park,Ravi Sandhu.Usage Control:A unified framework for next generation access control.George Mason University,2003
[7]J.Park,R.Sandhu.Towards Usage Control Models:Beyond Traditional Access.Proceedings of the 7~(th)ACM Symposium on Access Control Models and Technologies,2002
[8]R.Sandhu,J.Park.Usage Control:A Vision for Next Generation Access Control,MMM-ACNS[EB/OL].http://www.list.gmu.edu/conference_papers.htm,2003
[9]The Platform for Privacy Preferences(P3P)Specification Technical report.W3C.Online Available:http://www.w3.org/P3P
[10]J.Park,R.Sandhu.The UCON usage control model.ACM Transactions on Information and System Security,2004,7(1):128-174
[11]聂利平,基于UCON访问控制模型的研究与分析:[硕士学位论文].合肥:合肥工业大学,2006
[12]李萍,基于UCON模型的PMI系统的研究与实现:[硕士学位论文].上海:上海交通大学,2006
[13]沈海波,洪帆.基于属性的授权和访问控制研究.计算机应用,2007.1:84-87
[14]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003.14(1):76281
[15]赵宝献,数据库访问控制理论方法研究与实现[硕士学位论文],南京航空航天大学,2005
[16]刘劲武,陈峰.基于SRP-6协议的Web Services安全通信.重庆工学院学报,2007,Vol.21.No.4:79-81
[17]刘严敏,施建俊,李建华.基于SRP协议的相互认证与密钥交换方案.计算机工程,2004,Vol.30,No.16:42-44
[18]李冬,郭荷清.基于SOAP和SRP-6协议的认证与密钥交换方案.计算机科学,2006,Vol.33.No.7:138-140
[19]林闯,封富君,李俊山.新型网络环境下的访问控制技术.软件学报,2007.4,Vol.18,No.4
[20]Flavio O.Silva,Joao A.A.Pacheco,Pedro F.Rosa.A SRP Based Handler for Web Services Access Control.IEEE International Conference on Servicess Computing,2004
[21]Vipin Singh Mewar,Subhendu Aich,Shamik Sural.Access Control Model for Web Servicess with Attribute Dsiclosure Restriction.Second International Conference on Availability,Reliability and Security(ARES′07),2007
[22]Junqiang Zhu,Yu Zhou,Weiqin Tong.Access Control on the Composition of Web Servicess.Proceedings of the international Conference on Next Generation Web Servicess Practices(NWeSP'06),2006
[23]Zhu Yi-qun,Li jian-hua,Zhang Quan-hai.A General Attribute based RBAC Model for Web Services.IEEE International Conference on Servicess Computing,2007
[24]蒙英杰,张海波,杨西宁等.基于角色授权的Web Services访问控制模型.兰州大学学报,2007.4,Vol.43,No.2:84-87
[25]樊银亭,王春清,周德祥.一种ERBAC模型的设计与实现.合肥工业大学报,2007.7,Vol.30.No.7:869-872
[26]史毓达,沈海波.基于XACML的Web服务访问控制模型.计算机应用研究,2007.6,Vol.24.No.6:87-90
[27]梁爱虎.基于服务总线的Struts+EJB+Web Services整合开发.北京:电子工业出版社,2007.1
[28]Elliotte Rusty Harold.Java语言与XML处理教程.北京:电子工业出版社,2003.11
[29]Jaehong Park,Xinwen Zhang,Ravi Sandhu.Attribute mutability in usage control.George Mason University,2005
[30]Peng Liu,Zhong Chen,An Access Control Model for Web Servicess in Buiness Process.Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence, 2004.2
[31]C.Bettini,S.Jajodia,X.Wang,D.Wijesekera.Obligation Monitoring in Policy Management.In Proceedings of 3~(rd)International Workshop on Policies for Distributed Systems and Networks,2002
[32]高良涛,杜洁,SRP协议及其安全改进.计算机工程与设计,2003.5,Vol.24,No.5:65-67
[33]David F.Ferraiolo,Ravi Sandhu,Serban Gavrila.Proposed NIST Standard for Role-Based Access Control.ACM Transaction on Information and System Security,August,2001,Vol.4:224-274
[34]Ravi Sandhu.Rationale for the RBAC96 Family of Access Control Models.In Proceeding of the 1~(st)ACM Workshop on Role-Based Access Control.ACM,1997
[35]Sandhu,Edward J.Coyne,Hal L Feinstein,and Charles E.Youman.Role-Based Access Control Models,IEEE Computer,Febuary 1996,29(2):38-47
[36]Mudhakar Srivatsa,Arun Iyengar,Thomas Mikalsen.An Access Control System for Web Services Compositions.IEEE International Conference on Web Servicess,2007
[37]许峰,林果园,黄皓.Web Services的访问控制研究综述.计算机科学,2005,32(2):1-4
[38]沈海波,洪帆.面向Web服务的基于属性的访问控制研究.计算机科学,2006Vol.33.No.4:92-95
[39]Bonatt P,Samarati P.A Unified Framework for Regulating Access and Information Release on the Web.Journal of Computer Security,2002,10(3):241-272
[40]王维林,张来顺,张远洋.基于角色的Web Services动态访问控制模型.计算机应用,2006.11:2607-2614
[41]韩若飞,汪厚祥.基于任务-角色的访问控制模型研究.计算机工程与设计,2007.2,Vol.28.No.4:800-807
[42]金丽娜,蒋兴浩,李建华.基于属性证书的Web Servicess访问控制模型,2006.8Vol.32.No.16:136-150
[43]许峰,赖光海,黄浩,谢立.面向服务的角色访问控制技术研究.计算机学报,2005.4,Vol.28,No.4:686-693
[44]Alexander Pretschner,Manuel Hilty,David Basin.Distributed Usage Control.Communication of the ACM,2006.9
[45] T.Wu, The SRP Authentication and Key Exchange System, http://www.china-pub.com/,September 2000
[2]Chriatian Emig,Frank Brandt,Sebastian Abeck.A Access Control Metamodel for WebServices-OrientedArchitecture.Software Engineering Advances,2007.ICSEA 2007
[3]R Sandhu,E Coyne,H Feinstein.Role-based Access Control Models[J].IEEE Computer,1996,29(6):38247
[4]Jaehong Park,Ravi Sandhu.Originator Control in Usage Control.3~(rd)International Workshop on Policies for Dsitributed Systems and NetWorks,2002.6:05-07
[5]沈海波,洪帆.访问控制模型研究综述.计算机应用研究,2005.6:9-11
[6]Jaehong Park,Ravi Sandhu.Usage Control:A unified framework for next generation access control.George Mason University,2003
[7]J.Park,R.Sandhu.Towards Usage Control Models:Beyond Traditional Access.Proceedings of the 7~(th)ACM Symposium on Access Control Models and Technologies,2002
[8]R.Sandhu,J.Park.Usage Control:A Vision for Next Generation Access Control,MMM-ACNS[EB/OL].http://www.list.gmu.edu/conference_papers.htm,2003
[9]The Platform for Privacy Preferences(P3P)Specification Technical report.W3C.Online Available:http://www.w3.org/P3P
[10]J.Park,R.Sandhu.The UCON usage control model.ACM Transactions on Information and System Security,2004,7(1):128-174
[11]聂利平,基于UCON访问控制模型的研究与分析:[硕士学位论文].合肥:合肥工业大学,2006
[12]李萍,基于UCON模型的PMI系统的研究与实现:[硕士学位论文].上海:上海交通大学,2006
[13]沈海波,洪帆.基于属性的授权和访问控制研究.计算机应用,2007.1:84-87
[14]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003.14(1):76281
[15]赵宝献,数据库访问控制理论方法研究与实现[硕士学位论文],南京航空航天大学,2005
[16]刘劲武,陈峰.基于SRP-6协议的Web Services安全通信.重庆工学院学报,2007,Vol.21.No.4:79-81
[17]刘严敏,施建俊,李建华.基于SRP协议的相互认证与密钥交换方案.计算机工程,2004,Vol.30,No.16:42-44
[18]李冬,郭荷清.基于SOAP和SRP-6协议的认证与密钥交换方案.计算机科学,2006,Vol.33.No.7:138-140
[19]林闯,封富君,李俊山.新型网络环境下的访问控制技术.软件学报,2007.4,Vol.18,No.4
[20]Flavio O.Silva,Joao A.A.Pacheco,Pedro F.Rosa.A SRP Based Handler for Web Services Access Control.IEEE International Conference on Servicess Computing,2004
[21]Vipin Singh Mewar,Subhendu Aich,Shamik Sural.Access Control Model for Web Servicess with Attribute Dsiclosure Restriction.Second International Conference on Availability,Reliability and Security(ARES′07),2007
[22]Junqiang Zhu,Yu Zhou,Weiqin Tong.Access Control on the Composition of Web Servicess.Proceedings of the international Conference on Next Generation Web Servicess Practices(NWeSP'06),2006
[23]Zhu Yi-qun,Li jian-hua,Zhang Quan-hai.A General Attribute based RBAC Model for Web Services.IEEE International Conference on Servicess Computing,2007
[24]蒙英杰,张海波,杨西宁等.基于角色授权的Web Services访问控制模型.兰州大学学报,2007.4,Vol.43,No.2:84-87
[25]樊银亭,王春清,周德祥.一种ERBAC模型的设计与实现.合肥工业大学报,2007.7,Vol.30.No.7:869-872
[26]史毓达,沈海波.基于XACML的Web服务访问控制模型.计算机应用研究,2007.6,Vol.24.No.6:87-90
[27]梁爱虎.基于服务总线的Struts+EJB+Web Services整合开发.北京:电子工业出版社,2007.1
[28]Elliotte Rusty Harold.Java语言与XML处理教程.北京:电子工业出版社,2003.11
[29]Jaehong Park,Xinwen Zhang,Ravi Sandhu.Attribute mutability in usage control.George Mason University,2005
[30]Peng Liu,Zhong Chen,An Access Control Model for Web Servicess in Buiness Process.Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence, 2004.2
[31]C.Bettini,S.Jajodia,X.Wang,D.Wijesekera.Obligation Monitoring in Policy Management.In Proceedings of 3~(rd)International Workshop on Policies for Distributed Systems and Networks,2002
[32]高良涛,杜洁,SRP协议及其安全改进.计算机工程与设计,2003.5,Vol.24,No.5:65-67
[33]David F.Ferraiolo,Ravi Sandhu,Serban Gavrila.Proposed NIST Standard for Role-Based Access Control.ACM Transaction on Information and System Security,August,2001,Vol.4:224-274
[34]Ravi Sandhu.Rationale for the RBAC96 Family of Access Control Models.In Proceeding of the 1~(st)ACM Workshop on Role-Based Access Control.ACM,1997
[35]Sandhu,Edward J.Coyne,Hal L Feinstein,and Charles E.Youman.Role-Based Access Control Models,IEEE Computer,Febuary 1996,29(2):38-47
[36]Mudhakar Srivatsa,Arun Iyengar,Thomas Mikalsen.An Access Control System for Web Services Compositions.IEEE International Conference on Web Servicess,2007
[37]许峰,林果园,黄皓.Web Services的访问控制研究综述.计算机科学,2005,32(2):1-4
[38]沈海波,洪帆.面向Web服务的基于属性的访问控制研究.计算机科学,2006Vol.33.No.4:92-95
[39]Bonatt P,Samarati P.A Unified Framework for Regulating Access and Information Release on the Web.Journal of Computer Security,2002,10(3):241-272
[40]王维林,张来顺,张远洋.基于角色的Web Services动态访问控制模型.计算机应用,2006.11:2607-2614
[41]韩若飞,汪厚祥.基于任务-角色的访问控制模型研究.计算机工程与设计,2007.2,Vol.28.No.4:800-807
[42]金丽娜,蒋兴浩,李建华.基于属性证书的Web Servicess访问控制模型,2006.8Vol.32.No.16:136-150
[43]许峰,赖光海,黄浩,谢立.面向服务的角色访问控制技术研究.计算机学报,2005.4,Vol.28,No.4:686-693
[44]Alexander Pretschner,Manuel Hilty,David Basin.Distributed Usage Control.Communication of the ACM,2006.9
[45] T.Wu, The SRP Authentication and Key Exchange System, http://www.china-pub.com/,September 2000