基于RBAC的权限管理组件的设计与实现
|
摘要
访问控制是网络安全防范和保护的主要策略,它的主要任务是保证网络资源不被非法使用和访问。传统的访问控制已经不能满足日益增长的安全性需求。基于角色的访问控制(RBAC)通过引入角色的概念,将用户映射为在一个组织中的某种角色,将访问权限授权给相应的角色,根据用户在组织内所处的角色进行访问授权与控制,有效整合了传统访问控制技术的优势,又克服了他们的不足,使执行企业保护策略的过程更加灵活,并为管理员提供了一个更好的实现安全政策的环境。
本文以RBAC模型为基础,采用Spring框架,结合ibatis技术,设计并实现了一个能提供完整的用户身份认证和集中的应用授权体系的权限管理组件。论文主要工作包括:
1.具体分析RBAC模型,结合Spring和ibatis技术在组件开发中的优势,设计了一个通用的、安全的组件应用框架。基于此框架和RBAC模型,对组件功能模块、访问控制和数据库进行详细设计。
2.采用Spring框架,结合ibatis技术,开发实现了组件持久层、业务层和控制层。由于Spring与多种框架(例如Struts,JSF)相互整合,业务层提供的接口可以供不同的外部应用程序调用,从而实现组件的通用性。
3.基于Spring框架的拦截机制,实现用户身份验证和权限验证。运用信息摘要散列算法(MD5)实现用户登录口令加密传输以防止窃听,并进行数据库口令数据加密保存,实现组件安全机制,有效地完成了访问控制、传输加密、数据库加密的整合。
4.结合具体的项目,将权限管理组件应用到某电视台的后台管理系统中。
论文设计实现的权限管理组件已成功运用在某电视台后台管理系统中。实践表明,该组件具有通用性好、授权灵活、安全性强的特点。
The access control is the main strategy of the network security guard and protection, which guarantees that the illegal use can not visit the network resources.It is one of the most important core strategies of guaranteeing network security. The traditional access control can not meet the increasingly secure need. The Role-Based Access Control(RBAC) technique introduces the role concept. Owing to 'role', RBAC makes user image a certain role and executes access control based on a user's role in an organization, which effectively overcomes the shortages of traditional access control technique. It can make the process of executing specific policy of protection more flexible, which provides a better environment to implement policy of security for the administrator.
Based on the RBAC model and takeing Spring framework and ibatis technique, the thesis designs and realizes the privilege management component,which can provide a complete user identification authentication andthecentralized application authorization system. The main work of thesis including:
1. Analysing the RBAC model, combing the superiority of Spring and ibatis technique in component development, designing the versatile and secure component application framework. Based on the framework and RBAC model,carrying on the detailed designs for the function modules, access control and database.
2. Narrating the implementation process of persistence layer and business layer and control layer of the privilege management component. Based on the Spring framework intergrated with many kinds of frames (e.g. Struts,JSF), the business layer can also provide interfaces for different exterior application procedure to transfer,and realize the versatility of component.
3. Based on the Spring framework interceptor mechanism, designing and implementing the user identification authentication and the authorized authentication. In order to prevent the interception,making use of Message Digest 5(MD5) to encrypt user password transmission,and making encrypted password preserved in database, implementing the secure mechanism,effectively finishing the conformity of the access control, the transmission encryption, the database encryption.
4. Combining the practical project, applying the privilege management component to the backstage management system of television station.
The privilege management component designed and implemented by the thesis, has been successfully applied to the backstage management system of television station.The practice proves that the component has good versatility,flexible anthorization and strong security.
本文以RBAC模型为基础,采用Spring框架,结合ibatis技术,设计并实现了一个能提供完整的用户身份认证和集中的应用授权体系的权限管理组件。论文主要工作包括:
1.具体分析RBAC模型,结合Spring和ibatis技术在组件开发中的优势,设计了一个通用的、安全的组件应用框架。基于此框架和RBAC模型,对组件功能模块、访问控制和数据库进行详细设计。
2.采用Spring框架,结合ibatis技术,开发实现了组件持久层、业务层和控制层。由于Spring与多种框架(例如Struts,JSF)相互整合,业务层提供的接口可以供不同的外部应用程序调用,从而实现组件的通用性。
3.基于Spring框架的拦截机制,实现用户身份验证和权限验证。运用信息摘要散列算法(MD5)实现用户登录口令加密传输以防止窃听,并进行数据库口令数据加密保存,实现组件安全机制,有效地完成了访问控制、传输加密、数据库加密的整合。
4.结合具体的项目,将权限管理组件应用到某电视台的后台管理系统中。
论文设计实现的权限管理组件已成功运用在某电视台后台管理系统中。实践表明,该组件具有通用性好、授权灵活、安全性强的特点。
The access control is the main strategy of the network security guard and protection, which guarantees that the illegal use can not visit the network resources.It is one of the most important core strategies of guaranteeing network security. The traditional access control can not meet the increasingly secure need. The Role-Based Access Control(RBAC) technique introduces the role concept. Owing to 'role', RBAC makes user image a certain role and executes access control based on a user's role in an organization, which effectively overcomes the shortages of traditional access control technique. It can make the process of executing specific policy of protection more flexible, which provides a better environment to implement policy of security for the administrator.
Based on the RBAC model and takeing Spring framework and ibatis technique, the thesis designs and realizes the privilege management component,which can provide a complete user identification authentication andthecentralized application authorization system. The main work of thesis including:
1. Analysing the RBAC model, combing the superiority of Spring and ibatis technique in component development, designing the versatile and secure component application framework. Based on the framework and RBAC model,carrying on the detailed designs for the function modules, access control and database.
2. Narrating the implementation process of persistence layer and business layer and control layer of the privilege management component. Based on the Spring framework intergrated with many kinds of frames (e.g. Struts,JSF), the business layer can also provide interfaces for different exterior application procedure to transfer,and realize the versatility of component.
3. Based on the Spring framework interceptor mechanism, designing and implementing the user identification authentication and the authorized authentication. In order to prevent the interception,making use of Message Digest 5(MD5) to encrypt user password transmission,and making encrypted password preserved in database, implementing the secure mechanism,effectively finishing the conformity of the access control, the transmission encryption, the database encryption.
4. Combining the practical project, applying the privilege management component to the backstage management system of television station.
The privilege management component designed and implemented by the thesis, has been successfully applied to the backstage management system of television station.The practice proves that the component has good versatility,flexible anthorization and strong security.
引文
[1]毛碧波,孙玉芳.角色访问控制.计算机科学,2003.31(1):121-123
[2]王亚民.基于RBAC的信息系统访问控制模型.情报技术,2005.24(10):43-45
[3]王振江,刘强.基于RBAC的扩展访问控制模型.计算机工程与应用,2005.41(35):23-25
[4]D.Ferraiolo,R.Kuhn.Role-Based Access Controls.In 15~(th)NIST-NCSC National Computer Security Conference.Baltimore,MD,1992.554-563
[5]Ravi S.Sandhu,Edward J.Coyne,Hal L.Feinstein.Role-based Access Control Models.IEEE Computer,1996.38-47
[6]R.Sandhu,V.Bhamidipati,E.Coyne.The ARBAC97 Model for Role-Based Administration of Roles:Preliminary Description and Outline.In Proceedings of Second ACM Workshop on Role-Based Access Control.Fairfax,Virginia,1997.41-49
[7]Ravi Sandhu and Qamar Munawer.The ARBAC99 Model for Administration of Roles.In 15th Annual Computer Security Applications Conference.Phoenix,Arizona:IEEE Computer Society,1999.229-240
[8]叶身兴.基于角色访问控制管理模型的研究与实现:[硕士学位论文].华中科技大学,2006
[9]M.Al-Kahtani,R.Sandhu.Rule-Based RBAC with Negative Privilege.Proceedings of the 20th Annual Computer Security Application Conference.IEEE Computer Society,1999.1-11
[10]Elisa Bertino,Piero Andrea Bonatti,Elena Ferrari.TRBAC:A Temporal Role-Based Access Control Model.ACM Transactions on Information and System Security,2001.4(3):1-33
[11]James B.D.Joshi,Elisa Bertino,Usman Latif.A Generalized Temporal Role-Based Access Control Model.IEEE Transaction on Knowledge and data engineering,2005.17(1):4-23
[12]Ferraiolo D,Sandhu R,Gavrila S.Proposed NIST Standard for Role-Based Access Control.ACM Transactions on Information and System Security,2001.4(3):224-274
[13]American National Standard 359-2004 is the Information Technology Industry Consensus Standard for RBAC[EB/OL].http://csrc.nist.gov/rbac/.2005-10-20
[14]CS1.1.RBAC Task Group met 31 Jan 06,New Draft RBAC Implemention Standard,http://csrc.nist.gov/rbac
[15]韦帏.RBAC模型的一种中间件实现及其在B/S项目中的应用:[硕士学位论文].暨南大学,2006
[16]马建华.一种无干扰的访问控制模型:[硕士学位论文].华中理工大学,1994
[17]尹泉.基于扩展RBAC模型访问控制理论在工商电子政务中的研究与实现:[硕士学位论文].北京邮电大学,2007
[18]张可翔.多域环境下访问控制模型及其安全策略研究:[硕士学位论文].湖南大学,2006
[19]Park J,Sandhu,Ahn G.Role-based access control on the WEB.ACM Transactions on information and Systems Security,2001.4(1):37-71
[20]邢永明.一种改进的RBAC权限管理系统的研究与实现:[硕士学位论文].哈尔滨理工大学,2007
[21]赵国辉.权限管理组件在Spring框架下的设计与实现:[硕士学位论文].苏州大学,2005
[22 杜诗军.基于角色的访问控制研究:[硕士学位论文].郑州大学,2006
[23]Ravi S.Sandhu.Role-based access control,http://www.list.gmu.edu.1997-09-17
[24]BSR INCITS 359.American National Standard for Information Technology-Role Baesd Access Control.Secretariat Information Technology Industry Council(ITI),2003-04-04
[25]林信良.Spring技术手册.北京:电子工业出版社,2006
[26]夏昕.ibatis 2.0开发指南.2004-09-01
[27]辛运帏,廖大春,卢桂章.单向散列函数的原理、实现和在密码学中的应用.计算机应用研究2002年02期:25-27
[28]文锋.基于WEB的RBAC模型研究与设计:[硕士学位论文].南昌大学,2007
[29]Atluri.V,Wei-Kuang Huang.An Authorization Model for Workflows.Proceedings of the Fourth European Symposium on Research in Computer Security.Rome,Italy,1996.25-27
[30]Thomas RK,sandu RS.Towards a task-based paradigm for flexible and adaptable access control in distributed applications.In:proceedings of the 1992-1993 ACM SIGSAC New Security Paradigms Workshops.1993.138-142
[31]New Draft RBAC Implementation Standard.http//csrc.nist.gov/rbac,2006-01
[32]肖军模,刘军,周海刚.网络信息安全.机械工业出版社,2006.37-90
[33]丁胜,陈建勋.基于RBAC模型的安全访问机制建模研究.计算机应用与软件,2005.22(11):115-117
[34]S.L.Gavrila,J.F.Barkley.Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management.In Proceedings of Third ACM Workshop on Role-Based Access Control.Fairfax,Virginia,1998.81-90
[35]叶春晓,符云清,吴中福.RBAC中权限扩展的实现.计算机工程,2005.31(9):141-142
[36]普继光.基于角色的访问控制系统的设计和应用:[硕士学位论文].电子科技大学,2004
[37]黄锐.一种动态RBAC模型研究:[硕士学位论文].四川大学,2006
[38]张建伟,李鑫,张梅峰.基于MD5算法的身份鉴别技术的研究与实现.计算机工程,2003.29(4):118-119
[39]何丰.MD5加密算法与用户登录信息的保护.云南民族学院学报,2002.11(1):549-551
[40]李志英.基于RBAC和AOP的访问控制研究与应用:[硕士学位论文].西南交通大学,2007
[41]夏鲁宁,荆继武.一种基于层次命名空间的RBAC管理模型.计算机研究与发展,2007.44(12):2020-2027
[42]Spring Framework开发参考手册.http://www.redsaga.com/spring_ref/2.0/html/
[43]Spring MVC.http://tianli.blog.51cto.com/190322/32052
[44]Spring Framework.http://www.javaeye.com/topic/147797
[2]王亚民.基于RBAC的信息系统访问控制模型.情报技术,2005.24(10):43-45
[3]王振江,刘强.基于RBAC的扩展访问控制模型.计算机工程与应用,2005.41(35):23-25
[4]D.Ferraiolo,R.Kuhn.Role-Based Access Controls.In 15~(th)NIST-NCSC National Computer Security Conference.Baltimore,MD,1992.554-563
[5]Ravi S.Sandhu,Edward J.Coyne,Hal L.Feinstein.Role-based Access Control Models.IEEE Computer,1996.38-47
[6]R.Sandhu,V.Bhamidipati,E.Coyne.The ARBAC97 Model for Role-Based Administration of Roles:Preliminary Description and Outline.In Proceedings of Second ACM Workshop on Role-Based Access Control.Fairfax,Virginia,1997.41-49
[7]Ravi Sandhu and Qamar Munawer.The ARBAC99 Model for Administration of Roles.In 15th Annual Computer Security Applications Conference.Phoenix,Arizona:IEEE Computer Society,1999.229-240
[8]叶身兴.基于角色访问控制管理模型的研究与实现:[硕士学位论文].华中科技大学,2006
[9]M.Al-Kahtani,R.Sandhu.Rule-Based RBAC with Negative Privilege.Proceedings of the 20th Annual Computer Security Application Conference.IEEE Computer Society,1999.1-11
[10]Elisa Bertino,Piero Andrea Bonatti,Elena Ferrari.TRBAC:A Temporal Role-Based Access Control Model.ACM Transactions on Information and System Security,2001.4(3):1-33
[11]James B.D.Joshi,Elisa Bertino,Usman Latif.A Generalized Temporal Role-Based Access Control Model.IEEE Transaction on Knowledge and data engineering,2005.17(1):4-23
[12]Ferraiolo D,Sandhu R,Gavrila S.Proposed NIST Standard for Role-Based Access Control.ACM Transactions on Information and System Security,2001.4(3):224-274
[13]American National Standard 359-2004 is the Information Technology Industry Consensus Standard for RBAC[EB/OL].http://csrc.nist.gov/rbac/.2005-10-20
[14]CS1.1.RBAC Task Group met 31 Jan 06,New Draft RBAC Implemention Standard,http://csrc.nist.gov/rbac
[15]韦帏.RBAC模型的一种中间件实现及其在B/S项目中的应用:[硕士学位论文].暨南大学,2006
[16]马建华.一种无干扰的访问控制模型:[硕士学位论文].华中理工大学,1994
[17]尹泉.基于扩展RBAC模型访问控制理论在工商电子政务中的研究与实现:[硕士学位论文].北京邮电大学,2007
[18]张可翔.多域环境下访问控制模型及其安全策略研究:[硕士学位论文].湖南大学,2006
[19]Park J,Sandhu,Ahn G.Role-based access control on the WEB.ACM Transactions on information and Systems Security,2001.4(1):37-71
[20]邢永明.一种改进的RBAC权限管理系统的研究与实现:[硕士学位论文].哈尔滨理工大学,2007
[21]赵国辉.权限管理组件在Spring框架下的设计与实现:[硕士学位论文].苏州大学,2005
[22 杜诗军.基于角色的访问控制研究:[硕士学位论文].郑州大学,2006
[23]Ravi S.Sandhu.Role-based access control,http://www.list.gmu.edu.1997-09-17
[24]BSR INCITS 359.American National Standard for Information Technology-Role Baesd Access Control.Secretariat Information Technology Industry Council(ITI),2003-04-04
[25]林信良.Spring技术手册.北京:电子工业出版社,2006
[26]夏昕.ibatis 2.0开发指南.2004-09-01
[27]辛运帏,廖大春,卢桂章.单向散列函数的原理、实现和在密码学中的应用.计算机应用研究2002年02期:25-27
[28]文锋.基于WEB的RBAC模型研究与设计:[硕士学位论文].南昌大学,2007
[29]Atluri.V,Wei-Kuang Huang.An Authorization Model for Workflows.Proceedings of the Fourth European Symposium on Research in Computer Security.Rome,Italy,1996.25-27
[30]Thomas RK,sandu RS.Towards a task-based paradigm for flexible and adaptable access control in distributed applications.In:proceedings of the 1992-1993 ACM SIGSAC New Security Paradigms Workshops.1993.138-142
[31]New Draft RBAC Implementation Standard.http//csrc.nist.gov/rbac,2006-01
[32]肖军模,刘军,周海刚.网络信息安全.机械工业出版社,2006.37-90
[33]丁胜,陈建勋.基于RBAC模型的安全访问机制建模研究.计算机应用与软件,2005.22(11):115-117
[34]S.L.Gavrila,J.F.Barkley.Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management.In Proceedings of Third ACM Workshop on Role-Based Access Control.Fairfax,Virginia,1998.81-90
[35]叶春晓,符云清,吴中福.RBAC中权限扩展的实现.计算机工程,2005.31(9):141-142
[36]普继光.基于角色的访问控制系统的设计和应用:[硕士学位论文].电子科技大学,2004
[37]黄锐.一种动态RBAC模型研究:[硕士学位论文].四川大学,2006
[38]张建伟,李鑫,张梅峰.基于MD5算法的身份鉴别技术的研究与实现.计算机工程,2003.29(4):118-119
[39]何丰.MD5加密算法与用户登录信息的保护.云南民族学院学报,2002.11(1):549-551
[40]李志英.基于RBAC和AOP的访问控制研究与应用:[硕士学位论文].西南交通大学,2007
[41]夏鲁宁,荆继武.一种基于层次命名空间的RBAC管理模型.计算机研究与发展,2007.44(12):2020-2027
[42]Spring Framework开发参考手册.http://www.redsaga.com/spring_ref/2.0/html/
[43]Spring MVC.http://tianli.blog.51cto.com/190322/32052
[44]Spring Framework.http://www.javaeye.com/topic/147797