中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
基于策略的Web应用服务器安全授权系统的设计与实现
作者: 邓柳军
答辩日期: 2008-06-05
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: Web应用服务器 ; 安全框架 ; 访问控制 ; 安全策略
其他题名: The Design and Implementation of Policy Based Security Authorization Framework for Web Application Server
摘要: 随着我国经济的发展,信息技术得到广泛应用,很多网络应用开发者在开发应用时面临着复杂的安全需求。基于J2EE规范的安全中间件为应用提供了基于角色的访问控制服务,但是这种机制缺乏足够的灵活性,难以满足多样化的应用需求和发展趋势,Web应用服务器需要提供更加灵活的安全授权机制。 针对上述问题,本文提出一种基于策略的Web应用服务器安全授权框架,该框架使用安全策略语言描述安全授权逻辑,为Web应用服务器提供了高度灵活的声明式的安全授权服务。 本文首先介绍当今主要的安全授权技术以及主流的Web应用服务器的采用的安全授权框架,并分析现有安全授权模型的不足,然后提出了一个基于策略的安全授权模型。 然后本文针对该安全授权模型,设计与实现了基于策略的安全授权框架。该框架使用分层的架构来实现安全功能,包括安全接口层,安全服务层,安全提供者接口层以及安全提供者层。安全接口层给外部组件提供了安全授权服务的访问接口;安全服务层提供解析安全策略文件,查找安全属性以及策略以及评估安全访问等核心功能,具体实现了安全授权服务;安全提供者接口层定义了安全策略中使用的数据类型,策略算法等的接口;安全提供者层为安全提供者接口提供了默认的数据类型以及策略算法的实现。安全授权框架利用XML结构化对象模型以及Java运行时动态绑定机制,实现了安全提供者的动态加载机制。另外安全授权框架还可以动态的查找用户关注的安全属性。分层架构分离了安全授权过程与安全策略的具体实现,为安全授权框架提供了很好的扩展性。 最后本文将安全授权框架应用到中科院软件所研发的J2EE应用服务器OnceAS当中。首先我们通过扩展原有安全框架的方式实现EJB容器和Web容器的安全机制;然后通过扩展Java平台的安全管理器的方式,管理应用对于Java API的访问,最后扩展JMX的安全机制来管理Web应用服务器的各个组件,为Web应用提供安全服务。
英文摘要: With the development of our economy, information technologies are widely applied. Many Web application developers have to face the complex requirement of security when developing applications. The security middlewares based on J2EE specification provide a Role Based Access Control sercurity service, however, this mechanism is not flexble enough to satify the diverse application's needs, and web application server need a more flexble authorization mechanism. To solve this problem, we propose a policy-based web application server authorization framework. This framework can describe the security logic with a policy language, and provides the web appication server a highly flexble authorization service. This paper introduces the major security authorizaiton technology and the the authorization framework of some popular application servers at first, then analyse the shortage of current authorization model and proposes a policy based authorization model. According to the authorization model, this paper provides the design and implementation of a policy based authorization framework. To achieve security features, the framework uses a hierarchical structure which can be divided to security interface layer, sercurity service layer, security provider interface layer and security provider layer. The security layer provides the access interface of authorization service to the external components. And the security service layer achieves authorization service by providing some key functions such as parsing the policy files, lookup the security attribute and policy, evaluating the security access. The security provider interface layer defined the interface of the data types and algorithms of the security policy. And the security provider layer provides the default implementation of these data types and algorithms. The security authorization framework uses the XML structured object model and the Java runtime dynamic binding mechanism to realize a mechanism to load the security provider dynamically, according the policy file. And the framework can look for the security attribute at the runtime. Layered architecture has provided the security framework a high extensibiity by separateing the authorization process and the realization of the security policy. At last we apply this framework to the J2EE application server OnceAS, whith developed by the Institute of Software, Chinese Academy of Sciences.we extends the old security framework with our security authorization and implement the security mechanism of the EJB container and Web container. And then we extend the security manager of Java with our authorization framework to manage the access of the Java API. At the end we extend the security mechanism of JMX to manage the access of the components of the web application server.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7024
Appears in Collections:中科院软件所

Files in This Item:

There are no files associated with this item.


Recommended Citation:
邓柳军. 基于策略的Web应用服务器安全授权系统的设计与实现[D]. 软件研究所. 中国科学院软件研究所. 2008-06-05.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[邓柳军]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[邓柳军]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace