RBAC技术在管理系统中的研究与应用
|
摘要
访问控制技术在企业应用安全中具有重要的意义。然而,传统的访问控制模型却难以满足复杂的企业环境需求。90年代以来,RBAC(Role-Based AccessControl)模型理论得到了深入的研究并运用于现实系统,它实现了用户与访问权限的逻辑分离,借助于角色这个主体,用户通过角色访问资源,大大减少了授权管理的复杂性,而且还能为管理员提供一个比较好的管理环境。但是,当前企业人员流动大、组织结构复杂,由此导致权限分配不灵活、维护成本高等弊端,为了解决这些问题必须在系统开发的理论和实践技术上有所改进。因此,对现有的RBAC模型进行必要的改进和扩展具有重要的理论和实际意义。
本文所做的主要工作体现在:
1)首先介绍了三种访问控制策略:强制访问控制(MAC)、自主访问控制(DAC)和基于角色的访问控制(RBAC)等三种访问控制技术,重点介绍和分析了RBAC技术的概念和它的优缺点。
2)结合目前企业的管理现状和RBAC基本模型所存在的不足提出了相应的解决方案,分别从以下三点对RBAC基本模型进行扩展:一,引入了用户组的概念,对用户进行分组;二,引入对部门的授权,减少授权操作;三,直接对用户赋予相应权限,为适应临时权限的分配。从而扩展出了一种新的访问控制模型,并对该模型的结构、原则、访问机制以及特点等进行了分析。
3)为了系统的实现,本文还就系统开发中所运用的技术进行了展开,分别介绍了目前成熟的MVC模式、Struts和Hibernate框架,最后分析了Hibernate与Struts结合应用的体系结构。
4)在实践上,本文通过运用扩展后的模型,以及结合Struts和Hibernate框架技术,开发了一套基于扩展RBAC模型的权限管理系统,最后以技术交流平台为分析实例,让此权限管理系统的扩展性得到了很好的体现。
本文对扩展RBAC模型的分析、设计与实现表明,扩展后的基于角色的访问控制模型在大型企业信息管理系统的应用中,具有安全性高、访问控制更严格以及降低开发和维护成本等优点,有着良好的应用前景。
The access control mechanism plays an important role in the enterprise application security. However, the traditional access control can not meet the requirements of the complicated business environment. Since the 1990s, the theory of RBAC (Role-Based Access Control) model has been under extensive investigation and also has been used in system of reality. It assigns permissions or privileges to roles, so users and permissions are logically separated. With the help of roles as main body, users could be access to the resources by roles. This technology greatly decreases the complexity of authorized management and provides a better management environment to managers. At present, there exist so many issues: the high turnover of employees, the complexity of organization structure which has led to, the less flexibility of access assignment the high cost of maintenance and etc as a consequence. So we should make improvement in the theory and practice techniques of the system development to solve the problems. Therefore it is important to propose an extension model based on the available RBAC to get high reusability of the software.
The primary works and innovation of this thesis dissertation based on theory and practice can be concluded as follows:
1. This thesis firstly introduces three strategies of access control: Mandatory Access Control(MAC), Discretionary Access Control(DAC) and Role-Based Access Control(RBAC). It emphasizes on the concept, advantages and disadvantages of RBAC.
2. This thesis provides the corresponding solutions in accordance with the present management situation of enterprises and the basic RBAC model. Discussion will be carried out as the following three aspects: (1) Introducing the concept of user groups and grouping the users. (2) Introducing the authorization of departments and decreasing the authorization operations. (3) Giving the corresponding privileges to users to adapt the assignment of temporary access. Thereby this thesis proposes a new access control model. It analyses the structure, principle, access mechanism and characteristics of this new model.
3. This thesis also analyzes the technologies used in the process of system development. It mainly describes the available MVC model, Struts and Hibernate architecture. Then it provides the architecture of the integrated application using Hibernate and Struts.
4. In practice, this thesis develops an access management system prototype based on extended RBAC model. It mainly uses the extended RBAC model based on the Struts and Hibernate architecture. Finally, it implements a technical communication platform as an instance of extended RBAC system to make a good illustration of the extensibility of this access management system.
In conclusion, the extended Role based access control technology used in the large-scale enterprise information management system has the characteristics of high security, strict access control and has a high application value via analyzing, designing and implementation in this thesis.
本文所做的主要工作体现在:
1)首先介绍了三种访问控制策略:强制访问控制(MAC)、自主访问控制(DAC)和基于角色的访问控制(RBAC)等三种访问控制技术,重点介绍和分析了RBAC技术的概念和它的优缺点。
2)结合目前企业的管理现状和RBAC基本模型所存在的不足提出了相应的解决方案,分别从以下三点对RBAC基本模型进行扩展:一,引入了用户组的概念,对用户进行分组;二,引入对部门的授权,减少授权操作;三,直接对用户赋予相应权限,为适应临时权限的分配。从而扩展出了一种新的访问控制模型,并对该模型的结构、原则、访问机制以及特点等进行了分析。
3)为了系统的实现,本文还就系统开发中所运用的技术进行了展开,分别介绍了目前成熟的MVC模式、Struts和Hibernate框架,最后分析了Hibernate与Struts结合应用的体系结构。
4)在实践上,本文通过运用扩展后的模型,以及结合Struts和Hibernate框架技术,开发了一套基于扩展RBAC模型的权限管理系统,最后以技术交流平台为分析实例,让此权限管理系统的扩展性得到了很好的体现。
本文对扩展RBAC模型的分析、设计与实现表明,扩展后的基于角色的访问控制模型在大型企业信息管理系统的应用中,具有安全性高、访问控制更严格以及降低开发和维护成本等优点,有着良好的应用前景。
The access control mechanism plays an important role in the enterprise application security. However, the traditional access control can not meet the requirements of the complicated business environment. Since the 1990s, the theory of RBAC (Role-Based Access Control) model has been under extensive investigation and also has been used in system of reality. It assigns permissions or privileges to roles, so users and permissions are logically separated. With the help of roles as main body, users could be access to the resources by roles. This technology greatly decreases the complexity of authorized management and provides a better management environment to managers. At present, there exist so many issues: the high turnover of employees, the complexity of organization structure which has led to, the less flexibility of access assignment the high cost of maintenance and etc as a consequence. So we should make improvement in the theory and practice techniques of the system development to solve the problems. Therefore it is important to propose an extension model based on the available RBAC to get high reusability of the software.
The primary works and innovation of this thesis dissertation based on theory and practice can be concluded as follows:
1. This thesis firstly introduces three strategies of access control: Mandatory Access Control(MAC), Discretionary Access Control(DAC) and Role-Based Access Control(RBAC). It emphasizes on the concept, advantages and disadvantages of RBAC.
2. This thesis provides the corresponding solutions in accordance with the present management situation of enterprises and the basic RBAC model. Discussion will be carried out as the following three aspects: (1) Introducing the concept of user groups and grouping the users. (2) Introducing the authorization of departments and decreasing the authorization operations. (3) Giving the corresponding privileges to users to adapt the assignment of temporary access. Thereby this thesis proposes a new access control model. It analyses the structure, principle, access mechanism and characteristics of this new model.
3. This thesis also analyzes the technologies used in the process of system development. It mainly describes the available MVC model, Struts and Hibernate architecture. Then it provides the architecture of the integrated application using Hibernate and Struts.
4. In practice, this thesis develops an access management system prototype based on extended RBAC model. It mainly uses the extended RBAC model based on the Struts and Hibernate architecture. Finally, it implements a technical communication platform as an instance of extended RBAC system to make a good illustration of the extensibility of this access management system.
In conclusion, the extended Role based access control technology used in the large-scale enterprise information management system has the characteristics of high security, strict access control and has a high application value via analyzing, designing and implementation in this thesis.
引文
[1]宁葵.访问控制安全技术及应用[M].北京:北京机械工业出版社.2005.58-86.
[2]肖军模,刘军,周海刚.网络信息安全[M].北京:北京机械工业出版社.2005.6-102.
[3]丁于思.基于角色的安全访问控制在企业信息系统中的应用研究:[硕士学位论文].湖南:中南大学,2003,3.
[4]Ravi S.Sandhu,Edward J Coyne.Role-Based Access Control Models,IEEE Computer,1996.2(3):8-47.
[5]David Ferraiolo,Richard Kuhn.Role-based access control[C].Proceedings of the 15th NIST-NSA National Computer Security Conference.1992.1-12.
[6]Elisa Bertino.Piero Andrea Bonatti and Elena Ferrari,"TRBAC:A Temporal Role-Based Access Control Model," ACM Transactions on information and System Security,Volume 4,No.3,August 2001.2-6.
[7]James B.D.Joshi,Elisa Bertino,Lsman Latif,and Arif Ghafoor," A Generalized Temporal Role-Based Access Control Model",IEEE Transaction on Knowledge and data engineering,VOL.17,2005.2-5.
[8]Michael J.Covington,Wende Long and Srividhya Srinivasan,"Secure Context-Aware Applications Using Environment Roles," Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies,Chantilly,Virginia,USA.May 2001,1-8.
[9]M.T.Moyer and M.Abamad,"Generalized Role-Based Access Control ",21st International Conference on Distributed Computing Systems,Atlanta,GA,USA.April,2001:16-19.
[10]Arun Kumar,Neeran Karnik,and Girish Chafle,"Context Sensitivity in Role-based Access Control,"ACM SIGOPS Operating Systems Review,Volume 36,Issue 3,July 2002:1-8.
[11]M.A1-Kahtani and R.sandhn,"Induced Role Hierarchies with Attribute-Based RBAC ",In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT),VillaGallia,Como,Italy,June,2003:2-3.
[12]David F Feraiolo,Ravi Sandhn,Serban Gavrila,et al.Proposed NIST Standard for Role-based Access Control.ACM Transactions on Information and System Security,2001,(3):224-274.
[13]冯登过.网络安全原理与技术[M].北京:科学出版社,2003:92-106.
[14]龚富强.基于角色的用户权限管理系统开发与应用:[硕士学位论文].西安:西北工业大 学.2007,3-4.
[15]谢剑、朱志明、郝刚.柔性化焊接管理信息系统解决方案[J].焊接 2005(3).12-16.
[16]丁仲、左春.用于RBAC权限管理的面向对象框架[J].计算机工程与应用,2005(17),43-45.
[17]安晓江,李大兴.PMI系统中RBAC策略的实现与管理[J].计算机工程与应用.2004,7:115-118.
[18]张志勇,普杰信.RBAC策略在CORBA分布式对象系统安全中的应用[J],计算机工程2005,31(20):159-161.
[19]吴作,晓莉.基于角色的访问控制在CSCW系统中的应用[J],微计算机.2006,22(6-3):255-258.
[20]周丽莉,赵红芳.基于CSCW的网络教学系统的设计与实现[J],计算机工程与设计.2007,11(28):2759-2761.
[21]Park J,Sandhu R.The UCONABC Usage Control Model.ACM Transactions on Information and Systems Security,2004,7(1):128-174.
[22]Park J,Zhang Xinwen,Sandhu R S.Attribute Mutability in Usage Control.Eighteenth Annual Conference on Data and Applications Security.Sitges,Catalonia,Spain.2004:15-29.
[23]袁磊.使用控制模型的研究[J],计算机工程 2005,31(12):146-148.
[24]RBAC研究[EB/OL],http://www.mispb.com/rbac/rbac.htm.
[25]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005,6(10):9-11.
[26]宁葵.访问控制安全技术及应用[M].电子工业出版社.2005,北京.12-36.
[27]Red Flag Server 4.0安全技术白皮书[M/OL].北京中科红旗软件技术有限公司.2003.4-6http://www.redflag-linux.com/source/Documents/as4/anquanjishu.pdf.
[28]蒋佳.信息安全工程[M].北京:机械工业出版社.2003:68-129.
[29]高岩宇.整合分级的角色访问控制方案及其策略的研究与实现:[硕士学位论文].上海:上海交通大学,2005,9-10.
[30]Sandhu R S,Bhamidipati V,Munawer Q.The ARBAC97model for role-based administration of roles[J].ACM Transon Information and System Security,1999,2(1):105-135.
[31]尹泉.基于扩展RBAC模型访问控制理论在工商电子政务系统中的研究与实现:[硕士学位论文].北京:北京邮电大学.2007:15-16.
[32]Dewan D,Shen H.Controlling access in multiuser interface.ACM Transactions on Computer Human Interaction.1998,5(1):34-62.
[33]严悍,张宏,许满武.基于角色访问控制对象建模及实现[J].计算机学报,2000,10:1064-1071.
[34]蔡梅松.航天产品协同开发平台下基于角色访问控制策略的研究与应用:[硕士学位论文], 上海:上海交通大学,2007:20.
[35]赵国辉.权限管理组件在Spring框架现:[硕士学位论文],苏州:苏州大学,2006:28.
[36]孙卫琴.精通Struts:基于MVC的Java Web设计与开发[M].北京:电子工业出版社,2004:9-11.
[37]James Goodwill.Mastering Jakarta Struts[M].Indiana:Wiley Publishing,2002:62-75.
[38]夏听,Hibernate开发指南[M].电子工业出版社,2004.22-120.
[39]Hibernate:Object/Relation Mapping and Objiect Persistence for Java[EB/OL].http://hibernate.bluemars.net/,2004.
[40]陈天河.Hibernate项目开发宝典[M].北京:电子工业出版社,2006:167-201.
[41]陈明秋,李雨风,整合Struts和Hibernate开发向导[M].北京:电子工业出版社,2005:26-86.
[42]任文娟,王华,鞠宏伟,宋柱芹.基于Strus和Hibernate框架的Web应用的设计与实现[J],微计算机信息,2006,22(9.3):184-187.
[43]张晓群,董丽丽.角色访问控制模型的研究及应用[J].计算机技术与发展,2007,2(17):42-45.
[44]吴建,郑潮,汪杰.UML基础与Rose建模案例[M].北京:人民邮电出版社.2004:5-7.
[45]李虎,赵龙刚.UML基础、案例与应用[M].北京:人民邮电出版社.2004:68-81.
[2]肖军模,刘军,周海刚.网络信息安全[M].北京:北京机械工业出版社.2005.6-102.
[3]丁于思.基于角色的安全访问控制在企业信息系统中的应用研究:[硕士学位论文].湖南:中南大学,2003,3.
[4]Ravi S.Sandhu,Edward J Coyne.Role-Based Access Control Models,IEEE Computer,1996.2(3):8-47.
[5]David Ferraiolo,Richard Kuhn.Role-based access control[C].Proceedings of the 15th NIST-NSA National Computer Security Conference.1992.1-12.
[6]Elisa Bertino.Piero Andrea Bonatti and Elena Ferrari,"TRBAC:A Temporal Role-Based Access Control Model," ACM Transactions on information and System Security,Volume 4,No.3,August 2001.2-6.
[7]James B.D.Joshi,Elisa Bertino,Lsman Latif,and Arif Ghafoor," A Generalized Temporal Role-Based Access Control Model",IEEE Transaction on Knowledge and data engineering,VOL.17,2005.2-5.
[8]Michael J.Covington,Wende Long and Srividhya Srinivasan,"Secure Context-Aware Applications Using Environment Roles," Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies,Chantilly,Virginia,USA.May 2001,1-8.
[9]M.T.Moyer and M.Abamad,"Generalized Role-Based Access Control ",21st International Conference on Distributed Computing Systems,Atlanta,GA,USA.April,2001:16-19.
[10]Arun Kumar,Neeran Karnik,and Girish Chafle,"Context Sensitivity in Role-based Access Control,"ACM SIGOPS Operating Systems Review,Volume 36,Issue 3,July 2002:1-8.
[11]M.A1-Kahtani and R.sandhn,"Induced Role Hierarchies with Attribute-Based RBAC ",In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT),VillaGallia,Como,Italy,June,2003:2-3.
[12]David F Feraiolo,Ravi Sandhn,Serban Gavrila,et al.Proposed NIST Standard for Role-based Access Control.ACM Transactions on Information and System Security,2001,(3):224-274.
[13]冯登过.网络安全原理与技术[M].北京:科学出版社,2003:92-106.
[14]龚富强.基于角色的用户权限管理系统开发与应用:[硕士学位论文].西安:西北工业大 学.2007,3-4.
[15]谢剑、朱志明、郝刚.柔性化焊接管理信息系统解决方案[J].焊接 2005(3).12-16.
[16]丁仲、左春.用于RBAC权限管理的面向对象框架[J].计算机工程与应用,2005(17),43-45.
[17]安晓江,李大兴.PMI系统中RBAC策略的实现与管理[J].计算机工程与应用.2004,7:115-118.
[18]张志勇,普杰信.RBAC策略在CORBA分布式对象系统安全中的应用[J],计算机工程2005,31(20):159-161.
[19]吴作,晓莉.基于角色的访问控制在CSCW系统中的应用[J],微计算机.2006,22(6-3):255-258.
[20]周丽莉,赵红芳.基于CSCW的网络教学系统的设计与实现[J],计算机工程与设计.2007,11(28):2759-2761.
[21]Park J,Sandhu R.The UCONABC Usage Control Model.ACM Transactions on Information and Systems Security,2004,7(1):128-174.
[22]Park J,Zhang Xinwen,Sandhu R S.Attribute Mutability in Usage Control.Eighteenth Annual Conference on Data and Applications Security.Sitges,Catalonia,Spain.2004:15-29.
[23]袁磊.使用控制模型的研究[J],计算机工程 2005,31(12):146-148.
[24]RBAC研究[EB/OL],http://www.mispb.com/rbac/rbac.htm.
[25]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005,6(10):9-11.
[26]宁葵.访问控制安全技术及应用[M].电子工业出版社.2005,北京.12-36.
[27]Red Flag Server 4.0安全技术白皮书[M/OL].北京中科红旗软件技术有限公司.2003.4-6http://www.redflag-linux.com/source/Documents/as4/anquanjishu.pdf.
[28]蒋佳.信息安全工程[M].北京:机械工业出版社.2003:68-129.
[29]高岩宇.整合分级的角色访问控制方案及其策略的研究与实现:[硕士学位论文].上海:上海交通大学,2005,9-10.
[30]Sandhu R S,Bhamidipati V,Munawer Q.The ARBAC97model for role-based administration of roles[J].ACM Transon Information and System Security,1999,2(1):105-135.
[31]尹泉.基于扩展RBAC模型访问控制理论在工商电子政务系统中的研究与实现:[硕士学位论文].北京:北京邮电大学.2007:15-16.
[32]Dewan D,Shen H.Controlling access in multiuser interface.ACM Transactions on Computer Human Interaction.1998,5(1):34-62.
[33]严悍,张宏,许满武.基于角色访问控制对象建模及实现[J].计算机学报,2000,10:1064-1071.
[34]蔡梅松.航天产品协同开发平台下基于角色访问控制策略的研究与应用:[硕士学位论文], 上海:上海交通大学,2007:20.
[35]赵国辉.权限管理组件在Spring框架现:[硕士学位论文],苏州:苏州大学,2006:28.
[36]孙卫琴.精通Struts:基于MVC的Java Web设计与开发[M].北京:电子工业出版社,2004:9-11.
[37]James Goodwill.Mastering Jakarta Struts[M].Indiana:Wiley Publishing,2002:62-75.
[38]夏听,Hibernate开发指南[M].电子工业出版社,2004.22-120.
[39]Hibernate:Object/Relation Mapping and Objiect Persistence for Java[EB/OL].http://hibernate.bluemars.net/,2004.
[40]陈天河.Hibernate项目开发宝典[M].北京:电子工业出版社,2006:167-201.
[41]陈明秋,李雨风,整合Struts和Hibernate开发向导[M].北京:电子工业出版社,2005:26-86.
[42]任文娟,王华,鞠宏伟,宋柱芹.基于Strus和Hibernate框架的Web应用的设计与实现[J],微计算机信息,2006,22(9.3):184-187.
[43]张晓群,董丽丽.角色访问控制模型的研究及应用[J].计算机技术与发展,2007,2(17):42-45.
[44]吴建,郑潮,汪杰.UML基础与Rose建模案例[M].北京:人民邮电出版社.2004:5-7.
[45]李虎,赵龙刚.UML基础、案例与应用[M].北京:人民邮电出版社.2004:68-81.