多域单点登录系统的设计与实现
|
摘要
单点登录技术在企业信息化过程占据着非常重要的地位,面对着越来越多企业应用系统,单点登录技术不仅提高了企业系统整体的安全性,同时也提高了员工和用户访问系统的速度,从而大大地提高了工作效率。
本文对现有单点登录技术进行了充分的学习,同时研究了各种单点登录的实现模型,再参考了国内外多种单点登录系统和产品后,提出了多域单点登录的概念并进行了原型系统的设计与实现。多域单点登录,就是将多个单点登录系统连接起来,形成一个庞大的单点登录系统的网络,在这个网络中用户不仅仅能够在某个单点登录系统内,同时还能够实现不同系统之间的单点登录。在这个网络中,将每一个单点登录系统称为一个单点登录域,就是多域单点登录中域的概念。传统单点登录系统一般分为认证服务器和认证代理两个部分,而为了实现多域的思想,本系统添加了SSO注册中心模块,最终的系统由SSO注册中心、域认证服务器、认证代理三个模块组成。SSO注册中心负责保存和中转各个SSO域的域认证服务器信息,是多域单点登录系统的上层调控模块。域认证服务器模块与传统的单点登录系统中的认证服务器模块功能类似,但加入了适应多域环境的额外功能。认证代理模块保护需要认证才能访问的Web应用。
文中首先介绍了单点登录的概念,以及当前单点登录技术的发展状况。然后介绍了实现单点登录的相关技术,这包括安全加密技术,SSL协议和HTTPS协议,以及Session技术。接着详细论述了多域单点登录系统的设计目标,系统架构和工作原理,以及具体的实现和部署,最后讨论下一步的研究目标。
Single Sign-on Technology (SSO) occupy a very important position in the enterprise information process. In the face of an increasing number of enterprise applications, SSO has not only improved the overall security of enterprise systems, but also enhanced the speed at which the staff and other users access the system, so that greatly improving the efficiency of the work.
In this paper, firstly, the existing Single Sign-on Technology has been studied fully. Additionally, a variety of models to be realized have been examined. Finally, after referring to varieties of domestic SSO products, the conception of Multi-domain Single Sign-on (MSSO) has been proposed and the prototype system has been designed and implemented. MSSO is to link a number of SSO system to form a huge network. In this network, the users can not only sign on one single sign-on system but also can do the same things between different systems. One single sign-on system is named the single sign-on domain, which is the conception of the domain in MSSO. The traditional single sign-on system will generally be divided into two parts, agent certification and authentication server. In order to implement the idea of multi-domain, the SSO module of the system registry is added to. The ultimate system includes three parts, that is SSO registration center, domain authentication server and authentication proxy. SSO registration center for the preservation and transfer all domain SSO authentication server domain information, is the top multi-domain single sign-on system control module. Domain authentication server module and the single sign-on system is similar to the authentication server module function, except to add some extra function of adapting multi-domain environment. Authentication Proxy Authentication Module protects the Web application that can be visited after the users signing on.
This paper introduces the concept of a single sign-on, and the current single sign-on technology development. Secondly, it introduces some technologies about Single Sign-on, including security encryption technology, SSL and HTTPS protocols and Session technology. Thirdly, single sign-on system design, system structure and working principle have been discussed in detail. Finally, the goal of research in the next step is proposed.
本文对现有单点登录技术进行了充分的学习,同时研究了各种单点登录的实现模型,再参考了国内外多种单点登录系统和产品后,提出了多域单点登录的概念并进行了原型系统的设计与实现。多域单点登录,就是将多个单点登录系统连接起来,形成一个庞大的单点登录系统的网络,在这个网络中用户不仅仅能够在某个单点登录系统内,同时还能够实现不同系统之间的单点登录。在这个网络中,将每一个单点登录系统称为一个单点登录域,就是多域单点登录中域的概念。传统单点登录系统一般分为认证服务器和认证代理两个部分,而为了实现多域的思想,本系统添加了SSO注册中心模块,最终的系统由SSO注册中心、域认证服务器、认证代理三个模块组成。SSO注册中心负责保存和中转各个SSO域的域认证服务器信息,是多域单点登录系统的上层调控模块。域认证服务器模块与传统的单点登录系统中的认证服务器模块功能类似,但加入了适应多域环境的额外功能。认证代理模块保护需要认证才能访问的Web应用。
文中首先介绍了单点登录的概念,以及当前单点登录技术的发展状况。然后介绍了实现单点登录的相关技术,这包括安全加密技术,SSL协议和HTTPS协议,以及Session技术。接着详细论述了多域单点登录系统的设计目标,系统架构和工作原理,以及具体的实现和部署,最后讨论下一步的研究目标。
Single Sign-on Technology (SSO) occupy a very important position in the enterprise information process. In the face of an increasing number of enterprise applications, SSO has not only improved the overall security of enterprise systems, but also enhanced the speed at which the staff and other users access the system, so that greatly improving the efficiency of the work.
In this paper, firstly, the existing Single Sign-on Technology has been studied fully. Additionally, a variety of models to be realized have been examined. Finally, after referring to varieties of domestic SSO products, the conception of Multi-domain Single Sign-on (MSSO) has been proposed and the prototype system has been designed and implemented. MSSO is to link a number of SSO system to form a huge network. In this network, the users can not only sign on one single sign-on system but also can do the same things between different systems. One single sign-on system is named the single sign-on domain, which is the conception of the domain in MSSO. The traditional single sign-on system will generally be divided into two parts, agent certification and authentication server. In order to implement the idea of multi-domain, the SSO module of the system registry is added to. The ultimate system includes three parts, that is SSO registration center, domain authentication server and authentication proxy. SSO registration center for the preservation and transfer all domain SSO authentication server domain information, is the top multi-domain single sign-on system control module. Domain authentication server module and the single sign-on system is similar to the authentication server module function, except to add some extra function of adapting multi-domain environment. Authentication Proxy Authentication Module protects the Web application that can be visited after the users signing on.
This paper introduces the concept of a single sign-on, and the current single sign-on technology development. Secondly, it introduces some technologies about Single Sign-on, including security encryption technology, SSL and HTTPS protocols and Session technology. Thirdly, single sign-on system design, system structure and working principle have been discussed in detail. Finally, the goal of research in the next step is proposed.
引文
[1] 徐远航,宋丽娜 身份认证与管理:下一个安全部署重点 网络世界 2004(45)
[2] 康威,李凯 统一用户认证和单点登录解决方案 计算机世界报 2005(36)
[3] 飞天诚信公司 身份认证技术与应用漫谈 计算机安全 2005(01)
[4] 金辉 单点登录技术谈 deve loperWorks 中国
[5] 任栋、刘连忠 一种Web应用环境下安全单点登录模型的设计 计算机工程与应用 2002 (7)
[6] Sun Microsystems. Sun Java System Access Manager Admini stration Guide. http://java.sun.com.
[7] 杨兆赞 Lotus Domino和Web Sphere平台上单点登录技术的研究与实现计算机辅助上程 2004(1)
[8] 李成斌,熊华平,刘万伟 Kerberos实现网络计算的安全认证 计算机系统应用 1999(10)
[9] 齐忠厚 Kerberos协议原理及应用计算机工程与科学 2000,22(5)
[10] 戚文静,姚青 基于Kerberos的企业网安全模型 计算机工程与应用 2002,21(13)
[11] 林满山 单点登录技术的现状及发展 计算机应用 2004,24(6)
[12] 卿斯汉 一次身份认证可访问多个应用服务器 软件学报 2002,13(6)
[13] Bruce Schneier 应用密码学 机械工业出版社 2000
[14] Jamie.Jaworski著.邱仲潘等译 Java安全手册 电子工业出版社 2001
[15] 张峰岭 基于Java2的身份认证数字签名和SSL实现技术 现代计算机 2002(4)
[16] 郑宏云 Internet的加密与认证技术 中国数据通讯网络 2000(7)
[17] 李均锐,戴宗坤等 SSL协议及其安全性分析 信息安全与通信保密 2004(6)
[18] 马亚娜,钱焕延,孙亚民 用Cookie构建Web安全的实现 计算机工程 2002(9)
[19] 张挺,耿继秀 Web环境下的SSO实现模式的研究 计算机仿真 2005(8)
[20] 杨帆,王丽芳,蒋泽军 企业级单点登录系统模型的设计与实现微 电子学与计算机 2005,22(6)
[21] 陈重威 一个Web应用单点登录系统的设计和实现 哈尔滨师范大学自然科学学报 2004,20(1)
[22] W3C Extensible Markup Language (XML) 1.0 (Second Edition) www.w3.org/WR/REC-xml Current as of June 30th, 2003
[23] Sun Microsystems Java Secure Socket Extension http://java.sun.com/products/jsse
[24] Sun Microsystems Key and Certificat Management Tool http://java.sun.com
[25] Tomcat Documentation http://tomcat.apache.org/
[2] 康威,李凯 统一用户认证和单点登录解决方案 计算机世界报 2005(36)
[3] 飞天诚信公司 身份认证技术与应用漫谈 计算机安全 2005(01)
[4] 金辉 单点登录技术谈 deve loperWorks 中国
[5] 任栋、刘连忠 一种Web应用环境下安全单点登录模型的设计 计算机工程与应用 2002 (7)
[6] Sun Microsystems. Sun Java System Access Manager Admini stration Guide. http://java.sun.com.
[7] 杨兆赞 Lotus Domino和Web Sphere平台上单点登录技术的研究与实现计算机辅助上程 2004(1)
[8] 李成斌,熊华平,刘万伟 Kerberos实现网络计算的安全认证 计算机系统应用 1999(10)
[9] 齐忠厚 Kerberos协议原理及应用计算机工程与科学 2000,22(5)
[10] 戚文静,姚青 基于Kerberos的企业网安全模型 计算机工程与应用 2002,21(13)
[11] 林满山 单点登录技术的现状及发展 计算机应用 2004,24(6)
[12] 卿斯汉 一次身份认证可访问多个应用服务器 软件学报 2002,13(6)
[13] Bruce Schneier 应用密码学 机械工业出版社 2000
[14] Jamie.Jaworski著.邱仲潘等译 Java安全手册 电子工业出版社 2001
[15] 张峰岭 基于Java2的身份认证数字签名和SSL实现技术 现代计算机 2002(4)
[16] 郑宏云 Internet的加密与认证技术 中国数据通讯网络 2000(7)
[17] 李均锐,戴宗坤等 SSL协议及其安全性分析 信息安全与通信保密 2004(6)
[18] 马亚娜,钱焕延,孙亚民 用Cookie构建Web安全的实现 计算机工程 2002(9)
[19] 张挺,耿继秀 Web环境下的SSO实现模式的研究 计算机仿真 2005(8)
[20] 杨帆,王丽芳,蒋泽军 企业级单点登录系统模型的设计与实现微 电子学与计算机 2005,22(6)
[21] 陈重威 一个Web应用单点登录系统的设计和实现 哈尔滨师范大学自然科学学报 2004,20(1)
[22] W3C Extensible Markup Language (XML) 1.0 (Second Edition) www.w3.org/WR/REC-xml Current as of June 30th, 2003
[23] Sun Microsystems Java Secure Socket Extension http://java.sun.com/products/jsse
[24] Sun Microsystems Key and Certificat Management Tool http://java.sun.com
[25] Tomcat Documentation http://tomcat.apache.org/